MoMusings

Over the last month the amount of phishing scams I see has risen. In fact, since the beginning of November I have reported over 3,000 new phishing URLs. This is a significant increase for me, as I usually only report around 100 to 150.

Each phishing e-mail is checked, all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn’t yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd. One of these events happened last week, and this post will explain why I considered it not one of the run-of-the-mill phishing scams.

For starters here’s a screenshot of the e-mail I received:

A larger version can be found here.

Nothing too unusual here, this looks like a typical PayPal phishing e-mail, complete with the fake URL. The one you go to, is not the one shown in the e-mail!

For starters here’s a screenshot of the phishing website you saw [yes, past tense as it has now been closed down] when the link in the e-mail was clicked on:

A larger version can be found here.

You can also clearly see at the time I took this screenshot that it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser.

As with the original phishing e-mail, nothing too surprising here, a typical PayPal phishing site.

So, I logged in [using false credentials, of course] and filled out the required forms with my name, address, social security number, date of birth, credit card details [including CVV and PIN]. Everything was just like most other PayPal phishing sites, that is until the confirmation page…

This is what I saw:

A larger version can be found here.

Oh goody, I thought, they are offering me a free download of an ‘eBay Toolbar‘ called VGuard, and it is at version 10, yippee! Of course, I immediately downloaded it and installed it, as most users do, don’t they? [Don’t panic, I did download it, but I didn’t install it].

What I did do, once I had downloaded it was to analyse it, here’s the file information:

FileName: Guardv10.exe.1
FileDateTime: 16/11/2006 17:44:35
Filesize: 149254
MD5: 2fadb5a4f3c80e78197d733255136ba7
CRC32: 7B3A6C60
File Type: PE Executable
Packer: Standard PE File

Interesting is wasn’t even packed using the usual malware authors tools, such as UPX, ACE, and so on.

I had a quick peek at the internals of the file and saw it would create some files and execute them, not just any files, a DOS batch [.BAT] file, very suspicious! So I sent it of to be run in a sandbox, and here are the results:

Guardv10.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* File length: 149254 bytes.
* MD5 hash: 2fadb5a4f3c80e78197d733255136ba7.

[ Changes to filesystem ]
* Creates file C:\TEMP\bt8323.bat.
* Deletes file C:\TEMP\bt8323.bat.

[ Process/window information ]
* Creates an event called .

The results from the sandbox did indeed show that it created a batch file. So, what anti-malware tools detect it. To find out I scanned it using over 30 ‘up-to-the-minute‘ updated anti-malware tools, here are the results:

============================================================

Scan report of: Guardv10.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA Trojan.BAT.Small.BC0B
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot Jupilites,,Installer

============================================================

As you can clearly see, hardly any of them detected anything at all, even the mighty Kaspersky failed to find anything in the file. So, what did I do, the same thing I always do when I find a new malware, I sent it off to all the anti-malware companies to add detection for it to their products.

Sorry, you want to know what it [the mawlare] does? OK.

The sting in the tail mentioned in the title of this posting, is not that the phishers have used a bit of extra social engineering to get a ‘phished‘ target to not only give away their personal and financial data, but they have also got them to download and run, what the end user thinks is a ‘useful‘ toolbar…when in fact what it does is:

Attempts to remove the first four boot configurations from the ‘boot.ini‘ file and then delete the ‘hal.dll‘ file in the Windows ‘System‘ directory. It then copies itself to the Windows ‘Startup‘ folder and proceeds to shutdown [reboot] the computer.

If it is successful this will make the infected computer unbootable and it may also show a rude message in Romanian on the screen.

Now, is that a sting in the tail or not?

Not only have the phishers made off with the users data, but they are also trying to cover their tracks by making the system unusable……any half decent ‘geek‘ could of course resolve the matter fairly easily, but most users would be completely stumped as how to proceed at this point. I suppose they would take it to their local PC expert or repair center?