The Fake Codec / Fake Anti-Virus malware campaign, historically led by the Russian Business Network (RBN), has been going on for some time (here's a blog post dating back to 2006). Dancho Danchev's blog often details this campaign as well. While the campaign hasn't changed that drastically from its inception, I thought I'd provide an overview of a case seen this morning to highlight its current state.
This morning's case used a LastFM user profile to advertise a Britney Spears sex tape:
LastFM is not the only victim of having malware campaigns advertised through their social networking interface (other examples where Fake Codec / AV malware has been advertised include other popular social sites: LinkedIn, Hi5, Digg, Scribd, and yes Facebook).
Here are a few more examples of these advertisements seen in LastFM (be careful if you follow these links): example 1, example 2, and example 3.
The Shoutbox portion provides a link to kick-off the "fun-filled" viewing for the unsuspecting victim ...
The link directs the would-be victim to: hxxp://bigtubeforyou.com/mirolim-video/5.html
which decodes to:
The "sid" parameter allows the client to cycle through a round-robin of 302 redirects to Fake Code / AV malware sites including:
With malware downloads to:
Some of the A records for the above used domains:
bigtubeforyou.com. 3600 IN A 18.104.22.168
evamendesochka.com. 2123 IN A 22.214.171.124
showmelovetube.cn. 2145 IN A 126.96.36.199
tubefreewatch.cn. 3600 IN A 188.8.131.52
NS records for the above used domains include:
ns1.kimmusha.com. 172513 IN A 184.108.40.206
ns1.evamendesochka.com. 172800 IN A 220.127.116.11
Taking a look at the 18.104.22.168/19 rwhois for this hopone.net block shows that the two IP addresses used in this campaign are specifically swipt out for the "sls-db4p12" network name, "svservers" organization:
The sls-db4p12 network name identifies the IPs as being part of superb.net network. The organization, svservers has been identified (again, dating back to 2006) in the past involved in supporting spamming / hacking operations. SvServers is a Russian dedicated hosting service:
These redirect / malware domains will be updated by the malware provider as they are discovered and blocked (e.g., by Google / browser alerts). One out of the above three was in my browser's alerts at the time of writing this up. Fortunately for reputation-based schemes, such as Zscaler's Page Risk Indexing, these IPs and certainly the SvServers infrastructure will be in use a bit longer by the malware provider.
The malware samples have very poor detection:
VirusTotal (5/41): http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260842320
VirusTotal (8/41): http://www.virustotal.com/analisis/439d13cdefff86ed15051920114d10d2b190d08c1620245b15c6e56f1c8958e1-1260844620
and the most interesting for last:
VirusTotal (0/41): http://www.virustotal.com/analisis/387b9195ab821bdc32c8e2523e1137de67305100b992df0d4393198adae292ae-1260817839
F-Prot identified the binary as being packed by NSIS. NSIS is the Nullsoft Scriptable Install System, which states the following capabilities:
The latest release was recent: NSIS 2.46 on December 6, 2009.
7-Zip advertises on their homepage to be able to unpack NSIS. Running the file through 7-Zip, the following file was extracted the from the NSIS file:
VirusTotal (0/41): http://www.virustotal.com/analisis/327939a7910aa4747302c66ba6f4b6f8eea8cd08a4e3065682a711149c3f318e-1260820248
The DLL is 73728 bytes and imports and leverages functionality from the Windows DLLs:
gdi32.dll, kernel32.dll, ole32.dll, shell32.dll, shlwapi.dll, user32.dll
And exports the functions:
DllInit and DllInstall
Running the install_plugin.exe through a sandbox, a file with the same MD5 as cryptwm97.dll was created on the infected system at the location:
Where, %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
The malware also modified the registry key:
atmsyssound = "rundll32.exe "%AppData%\atmsyssound\atmsyssound.dll", DllInit"
so that atmsyssound.dll runs its initialization function DllInit every time Windows starts.
No network traffic was observed after infection. There is an identifiable string in the binary, (beyond the function calls from imported Windows DLLs): dvyllawnx.dll. Googling for atmsyssound.dll, cryptwm97.dll, and dvyllawnx.dll revealed no results. While the exact functionality of the binary is currently unknown, odds are that it is an information stealer of some kind or backdoor similar to Zlob (which has been the typical payload of these Fake Codec attacks). I plan to conduct further analysis on the payload and will share in a future blog post if it is interesting.
Some lessons from this: