In more than one blog post during the last several months, we have discussed a sophisticated plug-and-play malware campaign that infects users’ computers with a single click. During the last several months, the spammers have spoofed several major brands, including Facebook, Ebay, Amazon, YouTube, GoDaddy.com, WordPress and Wikipedia. Today, we blocked another variant, which at the time we blocked it, the drive-by downloader component had only been detected by a single anti-virus engine (as is typical for these campaigns).
One of the emails in the campaign had this subject line: “Unauthorized ACH Transaction.” The email warns recipients that an unauthorized ACH transaction was recently initiated from their bank account, but it was rejected by the “Electronic Payments Association.” The user is then invited to click on an embedded link to review the transaction report. The single-click could infect users’computers with a Trojan virus.
We also noticed other campaigns today that were using this technique, but spoofing Xerox WorkCentre messages which are used to send scanned documents as attachments over email.
The one-click malware spammers finally switched out one of the older exploits they had been using (CVE-2006-0003) for months. This exploit was replaced with another more recent one– the Windows Help Center vulnerability (CVE 2010-1885). This exploit was reported in early June, and Microsoft recently issued a patch. For the first time that I am aware of, this particular vulnerability is being exploited in combination with yet another vulnerability CVE-2010-2265 that allows cross-site scripting (XSS), thereby classifying this spam attack as a blended threat and ultimately achieving remote code execution.
It appears that the code used in this attack was copied verbatim from public exploit repositories that collect such threats for research purposes. It’s worth noting that the previous exploits from this campaign also used proof-of-concept code virtually unchanged from public sources.
Game-changing, plug-and-play attacks
Here is an example of the newly introduced code being used in this attack:
I’ve been writing about this new trend in one-click malware <http://www.redcondor.com/blog/?p=258> for months now. Recently, I had an epiphany.
Essentially the spammers have constructed an efficient malware distribution framework where they can use their “normal” spam campaigns in double-duty mode. This allows an efficient search of Internet-connected hosts to find and exploit vulnerable machines.
This activity is transparent to the normal function of their spam campaigns. In other words, they can spamvertize any website as usual, but now have the added bonus of piggybacking these campaigns with modular attacks that can be updated by criminals at any time and with little effort.
For this reason I have started referring to this technique as a “plug-n-play” architecture because they can simply chain on exploits as they become available without needing to modify their spam campaigns in any way. They can use this technique in any spam campaign that uses a URL based call-to-action. This is a game changer.
Spammers ironing out the kinks
Despite their sophistication, it appears that the spammers are still trying to iron out some kinks. One of the samples that we blocked earlier in the day had a broken call-to-action URL, and in another sample that I analyzed, the redirect page was broken too. The redirect requests the browser to navigate to the malware distribution site instead of the usual Canadian Pharmacy (or similar) drop-site. This may indicate that there is some type of kit that is behind this recent wave and some spammers haven’t quite figured out how to use it effectively.
These campaigns occurred almost simultaneously with several other variants, all using the same “ACH” and Xerox templates. But instead of using the redirection URL that is the earmark of this plug-n-play exploit framework, they instead used a direct link to a windows executable (.exe). Additionally, another variant was observed that embedded the malicious executable within an archive attached directly to the spam. These more direct and traditional methods of infection occurring along side the plug-n-play variant suggests that the scammers are testing which delivery method is more successful.
A final note: The executables being used in the campaign appear to be Zbot/Bredo variants–“banking” Trojans that Red Condor has reported on in past security alerts.