Sunday, January 4, 2009

Anatomy of a malware scam: How everclipz.com infects people and evades the good guys

Hundreds of thousands at risk daily

In my previous posts, I have talked about malware downloaded from everclipz.com and how they keep the anti-malware vendors guessing. The downloaded malware is not detected by a majority of the anti-virus software. Also of interest is how the site operates, since it gives us knowledge as to how malware distribution actually works.

How is the attack carried out: Search engine results are infiltrated by pages which purportedly show sex videos. These sites themselves do not have any malware, but the pictures link to another different webpage, the pictures of which then link towards a subdomain of everclipz.com which downloads a trojan disguised as an active X video player. The execution (running) of this file causes download of other files, which may, among other things, lead to disclosure of financial information and computer takeover by a remote person.

So, there are two “buffer sites” which lead on to the main exploit site. This is to guard against link scanners getting wise. The main site, full of explicit pictures, then gives the option of a codec, which then installs the malware.All the time, the main site,www.everclipz.com is never active, and never appears in any search results. This helps in keeping the site anonymous.

A search by whois showed the ip number to be 212.95.55.61, with the ip hosted in china.and two more domains associated Bestimagez.com and selectingz.com. What is frightening is that the ip address was registered just on the 29th of December, and within a space of 1 week, it has moved up to a daily Alexa traffic ranking of 2797. That means a traffic of a few hundred thousand per day. A few hundred thousand potentially infected computers per day. It is high time this site was put to an end.

 

 

Pictures: How to get infected: Click on the link



First link: Not infected, pictures link to a second non infected site



Picture: As you can see, the link scanner in the search engine did not pick up the site because it really did not have any exploits, nor was linked to one

 

 

Second link: Still no exploits, but the pictures link to a third site

 

 

The main exploit site: Note how precisely the picture simulating the pop up window is placed.

Clicking on the "window" leads to the appearance of a download dialog for the actual malware (setup.exe).

 

 

Finally, the frightening aspect: Notice how rapidly the Alexa traffic rank is going up. The number of people reaching the site now is estimated to be hundreds of thousands daily

Malware Authors Present AntiMalware Vendors a Moving Target

One Site, Four Days, Four Different Trojans

Analysis of the site everclipz.com provides a grim reminder of the challenges and limitations of anti-malware software. . (Warning:Please do not visit the site, it is potentially very very risky, downloading a variant of the Zlob trojan). I had first hit upon the site on the first of January, looking for an “additional media codec” to improve upon my malware collection. It was looking like a run of the mill spoof of PornTube, but it was linked to by plenty of other infected sites. (BTW, I have to thank Microsoft Live Search for getting the site, I was getting bored not getting plenty of infected links on Google, interesting for me perhaps, but it is extremely risky for the general public). I downloaded the “active X control” in my Opera browser and scanned it for viruses on Virus total. Only fourteen engines could detect it. Of course, I thought that it was a new variant, but was curious how the vendors would respond to this threat.

I followed up on the site again on the third of January, and was surprised. A new variant of the trojan was being downloaded, which was again detected by only fourteen new anti-viruses.The same story was repeated on the fourth and on the fifth. The malware distributor was moving before the anti-virus vendors could respond. Inspite of updated signatures showing slightly improved detection rates by anti-viruses, the risk to the end user visiting the site remained the same. Therefore, the updated signatures seem to be a giant waste of manpower and time for the anti-viruses. Making custom malware has become very common, with DIY kits being found in the underground.

 

1st January, 2009

3rd January 2009

4th January 2009

5th January 2009

MD5 Hash

4852a1513534cc72

52d5fe4bbd913951

162d9fda8047df161

90182a8ea4897f5

a326a54e41a560832

89aa863d060cfad

a96a824f19c2da0b6

c90201fb01f4ef6

Detected by how many viruses initially

14

14

14

12

Detected by how many viruses now (on 5th January)

20

17

15

12

What is the moral of the story?

  1. Do not depend on signature based detection. It is useful in some cases, but in the face of todays web based threats, it has lost its sheen

  2. Additional protective measures must be used. In my case, even though Avast! Could not detect any of the viruses first time, it provided protection by recognizing and blocking the malicious url (pic given below). A similar functionality should be found in AVG Link Scanner. Look to prevent going to the sites. However, it has to be recognized that these mechanisms will also fail, as a result of which the following two points are extremely important.

  3. Protection by means of limited accounts and a policy of distrust towards web downloads goes a long way.

  4. Do not go searching for trouble. You, ultimately are responsible for your own security. And look out for potential signals of trouble. In this case, it was quite clear, a third party site spoofing as PornTube, and then asking for aan “Active X control “ in Opera.

    Picture: Looking at the address bar shows that the website is fake. The "video Active X display" should make one even more suspicious. Finally, using a limited account with parental controls will go a long way in protecting you.

Friday, January 2, 2009

You do not have to pay extra for the best antivirus

How to block any malware from entering Vista, for free

The best antivirus on Windows Vista comes free, along with the operating system. Yes, I repeat, its true: the best solution for all spyware and viruses comes along with the operating system; you just have to unlock it.

 

Just go to the control panel, click on user accounts, make a new standard account and enable strict parental controls in allowing only a selected set of programs to run. Then, choose a strong password for your administrator account, and your newly formed standard user account. After that, just log in to your system and start using your computer. Of course, this does not mean you should not use an anti-virus. An antivirus is still needed in case you make a big mistake, but the simple steps above will mean that you will have control over your own security instead of blindly relying on some third party vendor.

You do not believe me? You have heard all about the Swiss cheese security of Windows, right? How come anyone dare say that one can actually surf the Internet freely without being dependent on an antivirus? Ok, believe what you see. I am providing some screenshots how the simple steps taken above have helped me to avoid viruses. Also, kindly note that I still use an antivirus, although a free one. However, to show you the effectiveness of the standard account with parental controls, I had switched off the antivirus while taking the screenshots below.

 

 

This is the first screenshot as to what happens when I try to execute a virus form my malware collection.

 

Similarly, when surfing, a drive by download, or a download which you have mistakenly run cannot execute itself:

 

 

Of course, it will not help you if you still choose to override the parental controls and install rogue software. A proper antidote to unsafe driving and internet surfing has not yet been discovered. However, even then, it is better to use a limited standard account because:

  • You have time to see the publisher and site the program is being downloaded from and if possible get the program analyzed by comprehensive black list based programs like that found in www.virustotal.com before installing it
  • In cases of droppers and downloaders, you get another warning that a further exploit is to be installed
  • it is easy to clean up the mess, and other accounts do not get compromised.

 

Other things to take care of:

Just using a standard account with parental controls will not help fully. For optimum security, you have to take the additional steps:

  1. Keep all the software up to date with security patches. In case you find it difficult to do this, use Secunia personal security inspector.
  2. See that your firewall is turned on. The Windows firewall is adequate for most purposes, and the Vista firewall can be configured to act as a two-way firewall. Advanced users may use a good third party firewall.
  3. Back up your files regularly.
  4. Encrypt your sensitive data. If you are paranoid about online financial security, use a separate password protected user account just for sensitive internet transactions
  5. Use a safe surfing policy. This means setting up site specific settings on a browser, with plugins (and if paranoid, javascript and iFrames) disabled for all but a handful of sites.
  6. Choose a good anti-virus and keep it up to date, so that even if you make a mistake, it may catch it. The present security scenario, with emphasis on fooling the user to install a program, needs a very good blacklist based system in addition to the system I have mentioned above.However, be warned, antiviruses do not detect the vast majority of rogue software out there.
  7. If you have to run a downloaded program, please do an internet search on the site the program has been downloaded from as well as the program itself. It is always advisable to get any downloaded executable (.exe) or archive (.zip, .rar etc)  thoroughly analyzed by a source such a www.virustotal.com. I would recommend doing a MD5 hash search before submitting the sample because it prevents the servers from getting clogged up and saving bandwith charges for a useful free service. The malware writers make use of such a service to see that their programs do not get detected by the majority of the anti-viruses, so why should you not make use of such a service?