Alerts

BOOKMARK THIS ALERT

digg |

del.icio.us |

newsvine |

furl |

technorati

Zero-day profiteering

Date:12.29.2005

Threat Type: Informational Alert

The following paper provides a view on how the potentially unwanted software business affiliates interact, provides details on installation methods, code used, propagation and installation statistics, and some of the methods used to help companies who do this make money.

Starting in mid December, 2005 we started investigating several website that were using browser exploits to download and run code on end-users machines without any end-user knowledge. These sites were not just using older Internet Explorer vulnerabilities but were also utilizing a recent zero-day vulnerability that at that time had no fix for it (this was the window(open) MS IE vulnerability. After tracing the code we discovered an entity called Exfol software that was a registered company in Vanuatu, in the South Pacific and who had ties to the following other entities (from their licensing agreement). As of this week the same sites are using the current MWF zero-day exploit that has no patch available in order to install their affiliates programs. The code is placed within IFRAMES on websites.

Both Exfol and Freecat.biz are hosted on web serves in South America and were up at the time of this alert.

Their licensing agreement includes a list of affiliates that they bundle with their software:

Licensing agreement snippet:

You agree that when you download Exfol's Software, it may come bundled with additional partners. Our current partners can include SSK, trafficsector, sudoku, spywarelabs, matscash and bookedspace. Each of these website locations have uninstall directions for their specific software should you wish to remove them.

We downloaded the licensing agreement from one of the websites and it does get downloaded as part of some of the malicious code, however it does not get displayed, nor give the end-users the choice to install and run the software.

Currently the Exfol and Freecat.biz websites are distributing exploit files that are utilizing the WMF vulnerability, which allows the un-authorized running of applications. The files are Trojan Downloader's which download and run files from the freecat.biz website and are named: pawn001.exe through pawn009.exe. Upon viewing any of the MWF files the end-users machines downloads and runs one of the aforementioned files. The files themselves are designed to install several pieces of Potentially Unwanted Software. In several cases these report that your machine has been infected with Spyware and that you may have security problems on your machine. You are then prompted to purchase software from one of the affiliates in order to clean your machine. At this time the current prices we saw was $29 per quarter year.

At the time of this paper the websites for Exfol.com and Freecat.biz had no information on their web sites main page except coming soon.

During our investigations we also noticed that one of the websites was running an administrative interface which tracked how many people had downloaded and installed the applications (i.e. had been infected), and had several other pieces of pertinent information such as; how the files are distributed, how the affiliate ID's match with the exploit code, and who some of the affiliates are.

As you can see from the statistics on their site they were / are receiving a lot of hits to their site and have, in some cases, tens-of-thousands of hits per day.

We created a short video example of a machine that has visited a site that has the IFRAME code on it. Even though there is an ActiveX popup warning the code downloads and installs in the background. Post download and launching the code you can see that there are several security warnings that prompt you to purchase some software.The security alerts are fraudulent.

http://www.websensesecuritylabs.com/images/alerts/exfol-movie.wmv

Upon accessing the site a WMF file is loaded that executes shellcode which utilizes the recently reported windows WMF vulnerability. ( see http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385 ). The shellcode calls URLmon.dll to download and execute another file.

Strings of WMF file showing download site for Trojan Horse. The file pawn00#.exe in turn downloads other executables.