This month, the Fortinet Research team uncovers new threats and dissects cybercrooks’ intentions, delivering insights on the freshest scams around.

This month's highlights:

• April by the numbers
• The old sk00ler of the month: W32/Polipos
• MSN Phishes...
• MySpace.com “social viruses”
• Infection “Swiss Army Knife” Style

April, by the numbers:

In this month’s top 10, unsurprisingly dominated by Adware/BetterInternet thanks to its evergoing botnet support (see February and March roundups), the entrance of HTML/BankFraud.E!phish has to be noted. It is symptomatic of this month’s trend: phishing increased by more than 1 percent, which represents a significant growth for non-replicating threats. This growth is illustrated by the Figure 1.

Fig. 1 – March vs April threats breakdown

The old sk00ler of the month: W32/Polipos

This file infector virus, which embeds a strong polymorphic routine and resorts to an effective Entry Point Obfuscation (EPO) technique, is the winner of our Old School virus of the month “contest” [no contest was actually held]. This virus has very low activity due to a nonexistent seeding and the absence of bot features (hence of financial motive), two other characteristics of old days viruses that further confirm this threat’s vintage nature.

That said, there is no denying that the concept behind that threat should serve as a genuine warning to AV companies. Advanced polymorphism added to EPO capabilities make it particularly difficult to detect, and tremendously extend the opportunity window for the virus to propagate – from few hours for a typical worm to several days or weeks for this one. Fortunately, it does not make use of this exceptional opportunity window, because of the absence of real seeding. But others could. Eventually, the cross-computer spreading routine of this file infector (it simply infects files in P2P shared folders, waiting for remote users to download those) could be particularly deadly, if coupled with an appropriate seeding.

MSN Phishes...

Fortinet’s intelligence team noticed this month what may be the first MSN phishing site. There, users are tricked into giving out their user / pass credentials, supposedly for the site to check who, among the lured user contacts, has deleted him or her. As a matter of course, that kind of tool is a myth, and the site just returns an error message (asking the user to check again the validity of her user/pass, just to be sure to grab it) and stores the stolen credentials.

Fig. 2 – disclose your credentials to our “powerful servers”

The goal behind this phishing operation could seem somewhat opaque. Yet, a natural explanation arises after looking at the last months virus trends:

The supposedly expected reign of IM worms has not seemed to arrive yet. That is because virus authors find themselves confronted with a fundamental barrier when engineering an IM worm: while email addresses are easy to collect on the web, IM ids are generally less public, making the seeding process significantly harder to set up. Furthermore, an IM worm social engineering strategy effectiveness strongly relies on the fact that people are more likely to accept a transfer originating from one of their contacts than from a stranger, so the initial infected messages must come from existing, real users.

Bearing that in mind, the goal of such MSN phishes is most likely to build up a database of active MSN login / pass, in prevision of a massive seeding. When the time comes, all the contacts of each stolen MSN account may receive an infected message.

Fortinet’s intelligence team will continue to closely monitor the situation.

MySpace.com “social viruses”

This month, several users of the famous online community MySpace.com contacted us, reporting intriguing spams and links to possible viruses that seemed to flourish on MySpace.com pages. Our analysis revealed an interesting propagation strategy, of what could be called a “virtual” or “social” worm; such worms resemble old “real life” chain letters scams.

Step 1: What seems to be an ad for a revolutionary free software that allows MySpace.com users to track who is reading their profiles (yet another old myth…) is posted on the form of a myspace bulletin (“Bulletins are messages from and to all your friends at once”).

Step 2: Users following the link featured in that bulletin are redirected to myfriendspy.com, which explains that the magic software would only function if users click on a button to “verify their account.” In fact, the button simply posts the MySpace bulletin described in step 1 above on behalf of the tricked user, and does nothing else.

Step 3: The abused user is politely told that the software is not available yet, but that he or she should bookmark this page and check it very often for the beta release. Meanwhile, however, the users can take advantage of the awesome free software brought to them by Zango (following links to the infamous Adware company site).

Fig. 3 – You “must” spread this spam to be allowed to discover that the software has not been released “yet”.

According to Guillaume Lovet, threat intelligence and response team leader for EMEA, this “virtual worm” carries the piece of spam from user to user, thereby propagating without resorting to a single line of machine code – but just by social engineering its victims.

The goal behind it is far less innovative: bringing a massive amount of users to click on the Zango “free software” links described in step three, and cashing the money from Zango for each file download originating from myfriendspy.com. This is a perfect illustration of what the infamous “advertisers / Adware company / affiliates” triangle can lead to. Something is definitely rotten in the state of Denmark. Fortinet appliances webfiltering service classifies myfriendspy.com as an Adware site, hence protecting its customers from being scammed, used as a spam vector, and tricked into downloading Adware components hence filling the pockets of shady affiliates with money from Zango.

Another MySpace.com socially-propagated spam, heavily relying on the lack of technical expertise average users have, sits at profilepeep.com.
There, users are again tricked into posting an ad bulletin in order to get access to some tracker code. This tracker code – which embeds an invisible image hosted at profilepeep into your myspace profile – seems to work. But in fact, it merely logs the visitors IP addresses. Only users registered at profilepeep.com can be tracked by their MySpace.com name, provided they gave out their real myspace id when registering and that they allow cookies… This information, of course, is nowhere to be found on the site.

Now, what is the underlying goal? Well, simply, registered users are offered to become “untrackable” for a fistful of dollars. A less expensive solution for becoming “untrackable” would be to block access to profilepeep.com, so that the hidden images they embed into myspace profiles are never actually requested by your machine. Fortinet appliances do that for you, but you could also very well manually “blackhole” profilepeep by adding this line in your “hosts” file in C:\WINDOWS\system32\drivers\etc directory:

127.0.0.1 www.profilepeep.com

Other MySpace.com annoyances resort to the same kind of trick. Our advice: do not trust ads posted as bulletins, and forget about trackers – it’s a myth, widely used to lure users into some sort of scam, said Lovet.

Infection “Swiss Army Knife” Style

This month, we continue to see viruses implementing a multi-vector attack and approach to compromising systems and infecting them. Take for instance “Kidala” – it tries to infect a system by numerous schemes, including chat messenger instant-messaging, Microsoft Windows exploits and good ol’ email. Fortinet virus researcher Patrick Nolan suggests that this illustrates at least one c0d3r’s desperation to spread his nastiness. It would appear that this methodology is not going away anytime in the next few years as it is becoming less the exception and more the rule, said Nolan.