The mails have this text in their body:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.Microsoft has been advised by your Internetprovider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The subject of the mails is “Conflicker.B Infection Alert”. Don’t open the malware attachment of this email and just delete the email altogether. Users of Avira solutions are protected: The attached file is detected generically as TR/Crypt.ZPACK.Gen – without an update.

Dirk Knop
Technical Editor

Having a look in the first 3 days of November we have observed that the trend didn’t actually change. We did notice changes in the social engineering techniques used to advertise the various malware, though.

We have the good old trick with the

- notification “Attachment: no virus found” (detected as TR/Netsky.HB) ,

- “promised photos” from the last holidays (detected as TR/Crypt.ZPACK.Gen),

- boss sending a letter (detected as BDS/Small.ZO Backdoor server),

- undelivered DHL Package (detected as TR/Crypt.ZPACK.Gen),

- and of course the Facebook password change request (current versions detected as BDS/Small.ZO Backdoor server).

Except these malware emails which make up more than 60% of the spam we received so far, the trend is constant: Spam mails concerning online casinos, online pharmacies and various replicas clog up the inboxes.

If the trend from last year is going to be repeated this year, then we should start to see a lot more spam spreading malware and phishing soon. Last years November was pretty busy but we’ve recorded a very relaxed December.

All the above mails are being detected by our Antispam engine as Spam and by the Antivirus engine as already described. Avira users thus are well protected.

Sorin Mustaca
Manager International Software Development

Fig. 1: This fake email is trying to make the recipient execute the attached malware.

Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else.

So please, remember the drill: In case that someone sends an email with an attachment, make sure that the sender is real and that he/she really wanted to send you that file. Else it is most likely malware. In any case keep your antivirus software up to date so it can detect new malware.

Avira products detect the attached malware from that spam wave as TR/Dldr.Bredolab.AX with the vdf update to version 7.01.06.155.

Dirk Knop
Technical Editor

Fig. 1: The new Koobface variant forces the user to solve Captchas.

If the Captcha is entered correctly, the desktop is set free again – but the malware will open another pop up eventually. Avira detects the threat generically as TR/Downloader.Gen – it gets installed into the windows directory and then downloads the actual Koobface malware. Those files get detected as Worm/Koobface.cfm and Worm/Koobface.cci. This isn’t the end of the downloads yet – the Koobfaces download further components, which Avira warns of as TR/Dldr.Small.anlx and TR/PSW.LdPinch.102400D, respectively. Avira users thus are protected from this threat.

Viktor Gräber
Virus Researcher

Unfortunately I was too slow in checking what the account was distributing. I can only guess that an account which is called Br.it.neyF***.Vids (drdtbwcxgaho) (some characters replaced with asterisks) might distribute links to some known fake codecs which are actually malware. Also the avatar of the account was specially chosen to attract the attention to those interested in such matters (this is why I masked it out).

Immediately after I clicked on the account, I’ve seen that Twitter already blocked it, taking my pleasure to report it as spam:

Nice to see that Twitter is not completely unaware of such things. By the way, this account was falling into the spammer-category according to my proposed template in my earlier article about Twitter Spam: Zero followers, following many , only a few tweets. Definitely a spammer!

Sorin Mustaca
Manager International Software Development

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&from=EMAIL_DOMAIN&fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

In those forums there were links embedded in the posts which lead to a JavaScript on a Russian website. A google search with the URL revealed that already more than 100 web pages, especially forums, got infected with that malicious link – the infection rate is increasing fast. Later another URL with the malware script was identified, which Google reported on more than 16.000 obviously infected web pages.

Fig. 1: The JavaScript is encrypted and obfuscated in several layers.

The JavaScript is trying to exploit several vulnerabilities to silently install malware on affected users’ computers. Among these are exploits for Microsoft Video ActiveX Control Vulnerability (CVE-2008-0015), Microsoft Internet Explorer XML Parsing Vulnerability (CVE-2008-4844), Microsoft Internet Explorer Malformed CSS Memory Corruption Vulnerability (CVE-2009-0076) and some PDF exploits for Firefox and the Internet Explorer. All these exploits are already known and security updates are available. The malware writers obviously assume that a lot of Internet users do not update their systems.

Fig. 2: Decrypting the JavaScript needed some brute force, too.

That malicious JavaScript is hosted on a fast-flux’ed domain – the Internet addresses to which the embedded link points resolves to different locations every few minutes (fast flux as abbreviation from fast fluctuation, see Wikipedia). So it doesn’t help to take down one server as there are plenty of them. Usually infected computers serve the malware.

Fig. 3: The domain the JavaScript was loaded from was a fastflux'ed domain.

The servers are GeoIP-aware. Trying to access them directly with an IP from Deutsche Telekom network resulted in an “access denied”, while using a proxy in the USA made the bots deliver the malware.

Fig. 4: The shellcode in the JavaScript finally leads to a FakeAV infection.

But this malware – Avira detects it TR/FraudPack.ams – is just another downloader. It is encrypted with some layers as well.

Fig. 5: The crypter author sends out greetings to Sunbelt.

One of the encryption layers contains greetings to the company Sunbelt.

Fig. 6: Contents of the FakeAV downloader svcst.exe.

It accesses a set of “double fast-flux’ed” domains to fetch the actual malware, a FakeAV and a ftp password stealer which sends the data to guest books on the Internet. These are detected by Avira with generic detection as TR/Crypt.ZPACK.Gen and as TR/FakeAV.RK, while the password uploader gets detected as TR/Downloader.Gen.

Fig. 7: The FakeAV disguises itself as Antivirus Pro 2010.

The WebGuard of the Avira Premium and Professional blocks the URLs from where the malicious JavaScript is included and also the malware download URLs. Avira AntiVir also protects users from the downloaded malware.

(Article updated on 6th October to add more details about the malware.)

Emanuel Somosan
Moritz Kroll
Engine R&D

Dirk Knop
Technical Editor

Fig. 1: The spam mail pointing to the malware site.

All Avira products detect the Trojans as TR/Spy.ZBot (in several variants). Our users of Avira AntiVir Premium, Avira Premium Security Suite and WebGate are protected because the URLs are being blocked.

The emails are having the address of the recipient in the URL in order to confirm that somebody actually clicked on the URL: http://www.irs.gov.<host>.com/fraud_application/directory/statement.php?email=ngthisleter@<email.com>&tid=ngthisleter-00000174073547US

Fig. 2: The fake IRS site with the malware.

The URLs are highly volatile, we see them only active for a couple of hours. However, the hosts which host the malware file called “tax-statement.exe” are still active. So please don’t follow those links!

Update from 30 September 2009: This spam wave now came to an end, from one day to the other there were no new malware mails!

Sorin Mustaca
Manager International Software Development

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor