Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Targeted at Executives - More Better Business Bureau phish malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Targeted at Executives - More Better Business Bureau phish malware

We have information that executive staff at 3 corporations are still being targeted with emails with mailicious attachments that AV vendors are finding hard to identify. The best and ongoing analysis of this highly successful attack is the BBB Phishing Trojan analysis by Joe Stewart of SecureWorks.

The information tends to show the recent attacks started to be detected by AV vendors on 07/31. One of our reports indicates that after the initial malware detection, new and undetected attachment variants were emailed. Malware samples submitted show coverage for at least one sample is still spotty.

One submission email had the following information;

 "This is an automated email that confirms the registration of your complaint case number : CX784486090 filed by your company on 7/29/2007 concerning Online Identity Theft.
   While The Better Bussiness Bureau Online does not resolve individual consumer problems, your complaint helps us investigate fraud, and can lead to law enforcement action.

   ATTACHED you will find a copy of your complaint .Please print and keep this copy for your personal records.
   We use secure socket layer (SSL) encryption to protect the transmission of the information you submit to us when you use our secure online forms.
The information you provided to us is stored securely.

   The form you used to register this complaint is designed to improve public access to the Better Business Bureau of Consumer Protection Consumer Response Center, and is voluntary. Through this form, consumers may electronically register a complaint with the BBB.Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. That number is 382-898.

   Our staff will keep you updated regarding the status of our investigation.

© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved."

One report indicated that downloaded files included winupdate.exe, yhelp.exe
and other temp files McAfee flagged as PWS-FireMing.dll, McAfee's PWS-FireMing.dll write-up has no information.

File names are not reliable in many situations, but Sunbelt had a file named yhelp.dll in a description of recent malware, they listed some downloaded files;

File Traces
%WINDOWS%\ yhelp.dll
update1.exe
yhelp.dll

There was no other useful information on their site.
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-SpyLogsniff.aj&threatid=145086

One sample's analysis at Virustotal;
File Complaint_158684523.doc received on 08.02.2007 18:22:54 (CET)
Result: 10/32 (31.25%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.3.0 2007.08.02 -
AntiVir 7.4.0.57 2007.08.02 TR/Dldr.Agent.caa.2 Authentium 4.93.8
2007.08.02 W32/Dropper.GGD Avast 4.7.1029.0 2007.08.02 - AVG 7.5.0.476
2007.08.02 - BitDefender 7.2 2007.08.02
Dropped:Generic.Malware.dld!!.EC529233
CAT-QuickHeal 9.00 2007.08.01 -
ClamAV 0.91 2007.08.02 -
DrWeb 4.33 2007.08.02 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5026 2007.08.02 -
Ewido 4.0 2007.08.02 -
FileAdvisor 1 2007.08.02 -
Fortinet 2.91.0.0 2007.08.02 -
F-Prot 4.3.2.48 2007.08.02 W32/SecRisk-ProcessPatcher-Sml-based!Maximus
F-Secure 6.70.13030.0 2007.08.02 Trojan-Downloader.Win32.Agent.caa
Ikarus T3.1.1.8 2007.08.02 Trojan-Downloader.Win32.Agent.caa Kaspersky
4.0.2.24 2007.08.02 Trojan-Downloader.Win32.Agent.caa McAfee 5088
2007.08.01 - Microsoft 1.2704 2007.08.02 -
NOD32v2 2433 2007.08.02 -
Norman 5.80.02 2007.08.02 -
Panda 9.0.0.4 2007.08.02 Suspicious file
Prevx1 V2 2007.08.02 -
Rising 19.34.32.00 2007.08.02 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.02 -
Symantec 10 2007.08.02 Trojan.Dropper
TheHacker 6.1.7.160 2007.08.01 -
VBA32 3.12.2.2 2007.08.01 -
VirusBuster 4.3.26:9 2007.08.02 -
Webwasher-Gateway 6.0.1 2007.08.02 Trojan.Dldr.Agent.caa.2 Additional
information File size: 34863 bytes
MD5: 134e3045664357da281806fc053076ba
SHA1: 25cfc729de06c88cfcba9a8dfa63b84d6d0c92f1

Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!