This is the conclusion of Bkis R&D – department specializing in virus research.

On February 04, 2010, Mozilla warned on its blog that two plug-ins for Firefox browser contain Trojan. Specifically, Version 4.0 of Sothink’s Web Video Downloader contains Win32.LdPinch.gen, and Master Filer contains Win32.Bifrose.32.Bifrose Trojan. Currently these two add-ons have been already removed from the page https://addons.mozilla.org/en-US/firefox/ (AMO)

According to Mozilla, users’ computers which are installed with these plug-ins will be infected with malware. Uninstalling these plug-ins does not help remove virus completely. They have to scan their computers with antivirus softwares. Mozilla also said that many people have downloaded and installed these add-ons onto their machines. According to AMO’s statistics, “Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008.”

PWS:Win32/Ldpinch.gen virus detection has been around since at least February 2008, and Win32.Bifrose.32.Bifrose Trojan has been detected since 2006. So, a software containing malwares detected for quite a long time has been uploaded since 2008. However, Mozilla does not recognize that. Previously, the Vietnamese language pack for Firefox 2 was infected with malicious code. This incident together with the currently mentioned issue causes many people to doubt about Mozilla’s security competence.

Studying more about two add-ons, we have found some information as follow:

Plugin Master Filer: developed by Haklinim. On December 11, 2009, Xavius, an AMO’s user, warned that this plug-in was identified as virus by Kapersky. This is not a popular plug-in, and its developer is also an individual who is not widely known. Currently, Mozilla has removed this plug-in, so we do not have the download link to check it.

(Plugin Master Filer on AMO)

Plugin Sothink Web Video Downloader is the product of Source Tec (http://www.sothink.com/). This is a Chinese company which specializes in flash-related software. The company also mentions this issue on its blog and says that this is a false warning of AVs since it uses Armadillo packer to pack the product. In addition, this product has been upgraded to version 5.7, and this version is not recognized as malware by AVs.

However, currently all the links installing Sothink Web Video Downloader are still prevented by Mozilla.

(Plugin Sothink Web Video Downloader has been removed by Mozilla)

So what is the truth behind all of this? Is Sothink’s plug-in for Firefox infected with malware?

Fortunately, we have found the setup file of Sothink’s plug-in version 4.0 and scanned it with Virustotal. And the result is that all the virus names and the AVs that detect such viruses are the same as Mozilla’s description.

http://www.virustotal.com/analisis/6aad247509a4b130c4f4978a69b4c740c54306bcf37510e0e527279b6c33b752-1265703198

Result of add-on file scan

http://www.virustotal.com/analisis/5be0e7623d8559bbe7f0508c4a389a1c8bd2be52bdf239b35342a574db30374b-1265609610

According to our analysis, this plug-in contains a component named nsCatcher.dll, and it is identified as Trojan/Win32.LdPinch.gen by AVs.

Reports of nsCatcher.dll file scan on Virustotal

http://www.virustotal.com/analisis/3f32a9c80dc0c015a097df2c295eb4ced791f1de001bf1dd13e9f4ee88dd7af2-1265733753

We have sent nsCatcher .dll file to Bkis R&D for analysis. And the result is that this is a clean file and it functions normally.

(PeiD recognizes this file as Armadillo)

File nsCatcher .dll is packed by Armadillo. This coincides with Sothink’s explanation.

So it can be concluded that Sothink’s plug-in for Firefox is not a malware. Some AVs have misidentified it as malware. Moreover, Firefox’s warning about this plug-in is not completely correct.

Author: Le Minh Hung – Bkav TaskForce

References

http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/

https://bugzilla.mozilla.org/show_bug.cgi?id=432406

http://blog.mozilla.com/security/2008/05/07/compromised-file-in-vietnamese-language-pack-for-firefox-2/

http://www.sothinkmedia.com/blog/clarification-and-apology-for-sothink-web-video-downloader-for-firefox-4-0/

Bkis’ malware monitoring system recently detects a new wave of attacks targeting the customers of Bank of India.

Bad guys fake the Bank of India to send mails to customers with content about online banking system upgrading, detail is as followed:

Bad guys will trick users into clicking the embedded link in  the email leading to a website with the interface similar to that of the genuine site. The account information of users will be stolen as soon as they type in the information at this fake site.

Fake website

If users do not pay attention to the domain name on the address bar, it would be really difficult for them to distinguish the fake and real websites.

Genuine website. Can you distinguish the two websites?

One more noticeable point is that: there is one warning about “Phishing attacks and Vishing attacks” right on the fake website :). The bad guys manage to built an almost-identical website, even including this feature. It is likely that Bank of India has also been aware of the attacks and is trying to  warn its clients.

These fake websites have variable domain names and is in no way related to banking. In some other similar phishing attacks, bad guys often create  domain names similar to the real websites, which makes it easier to fool users. In this case, there is a high possibility that the hackers have hacked some web server then taken advantage of the server to build phishing sites.

Analyst: Toan Duc

Mentioning Facebook, perhaps there is no onliner who doesn’t know it is one of the most popular virtual social networking sites. It’s not natural that Facebook is enthusiastically welcomed by the community. Its openness in connecting friends and updated information have brought about such success. Facebook now enjoys more than 300 millions active members all over the world. This popularity has, unexpectedly, been assisting hackers in obtaining their bad aims, like phishing or spreading malicious code, and so on. Recently, if you remember, a worm named Koobface propagated widely just by posting comments with noticeable content and links containing viruses.

To take full advantage of the wide Facebook member network, hackers have non-stop searched for new and more effective methods. Our honeypot system has just discovered a new virus family which propagates by sending emails imitating to be from Facebook’s administrating team.

This virus (recognized as W32.FacePass.Worm by Bkav), after its execution, will dump a backdoor which receives commands from the control server with Russian domain name “apsight.ru” and, at the same time, delivers dummy emails containing malicious code. After trying to connect to the control server, I got an interesting response:

It’s not clear whether the hacker’s server is under a backward DDoS attack because too many people are fooled, or this is simply a coding error that the hacker had mistakenly made. However, the first explanation seems to be more reasonable, because the hacker must have tested carefully before spreading the virus into the wild.

Once again, I strongly advise that you should take great care with information from the Internet, especially emails from unknown origins. Besides, it’s advisable that you use antivirus softwares to scan and to remove all the viruses out of emails before opening the attachments.

Analyst: Cong Thu

There has been a new wave of spam on VBB forums targeting registered users. Miscreants fake forum administrators sending PMs to individual users, warning about Dashfer virus – a fake gateway virus.

In fact, such links lead users to websites with fake AVs. The interfaces of these websites look like that of Windows Explorer of Windows XP, which makes users think that their computers have actually been infected with virus and will themselves download the fake AVs.

Normally, fake AVs associate with BlackHat SEO. However, this time we see the combination between fake AVs and spam on forum. This shows that bad guys will never stop looking for new tricks to infect virus to users’ computers.

You need to be really cautious with the information received from the Internet. And at the same time, update your antivirus software with the latest version. If there are any troubles with your computers, contact the professional supporters from your AV vendors for help.

Analyst: Manh Hoai

It passed the time when viruses were written out of the passion for IT, or for kidding purposes, most viruses are now written for obvious financial gains. You might have heard of this, or even experienced malwares that steal passwords for online games, banking account details, or fake antivirus software for phishing aim, etc. Lots of methods, scenarios have been used for hackers’ ultimate goal to collect illegal dollars. Once your computer is connected to the Internet, you will see the abundance of these ways to earn money.

To deal with the phenomenon, security companies, antivirus software producers are making timely analysis and widely releasing warnings to users via their Internet security bulletins. Any phishing methods, hence, will gradually become less effective, bad guys are forced to switch to new ones. Recently, our system detected a new technique being used by hackers, and we call it “racketeering encryption”.

Applying “racketeering decryption”, hackers write a virus that encrypts users’ data after its infection. Specifically, the virus (recognized as W32.RansomWare.Trojan by Bkav) focuses on the following file extensions: psd, msi, rar, zip, txt, doc, mp3, tif, jpg, jpeg, wma, lnk, docx, gif, bmp, xls, ppt, xlsx, pptx, docm, xlsm, pps, ppsx, ppd, tif, tiff, eps, png, ace, djvu, pdf, xml, rtf, cdr, max.

Picture 1: The file’s content before and after being encrypted.

Picture 2: Encryption algorithm

Then, the virus sends the computer user a message in Russian through Windows Notepad program. The message’s content can be translated into English as follow:

“All your files have been locked!

To unlock your computer, you need to pay 400 rubles into our account 41001473616253 from any ATM.

After the payment, send a scan of your bill to the email address: razb[removed]kompa@gmail.com

After we receive your money, instruction for unlocking your computer will be sent to your email address within 24 hours.

Instruction for the replenishment of our account can be found here:

Http://money.yandex.ru/i/shop/qiwi-instruction.jpg

Also you can pay in any other way. After the payment, write an email to inform us how and when you paid.”

Is the price 400 rubles (about 14 USD) for your whole precious data too cheap? Would you give out this sum of money? If I were in this situation, my answer would always be “No”.  It’s simply because there’s a much better choice. It is to get help from antivirus experts. To remove this virus from your computer, just download Bkav from the address http://www.bkis.com/home/DownloadE.aspx and install the software onto your computer. Then, you can use BkavDecryptTool to decrypt your data encrypted by the virus.

Hope you soon solve your virus problem to get back to your favorite job! :D

Nguyen Cong Cuong