Recently, users in many businesses’ networks find they suddenly cannot access any websites. Instead, they see a request to update their browsers.

On clicking “Bowser update”, a “program” is supposed to be downloaded to “update” users’ browsers.

This is indeed a virus.

LANs with such problems all have at least 1 computer infected with W32. Gatpaz.Worm. This virus imitates DHCP server, sends configuration information to clients to replace their DNS addresses with hacker’s server. Then, when the infected computers attempt to connect to the Internet, users will be redirected to phishing websites crafted by hacker.
Only LANs using DHCP Server for dynamic IP address assignment are affected.

In this IP address assignment model, each LAN is equipped with one DHCP server which is in charge of managing and assigning IPs to its clients. When a certain client needs an IP address to connect to the Internet, it broadcasts a message saying DHCPDISCOVER across the network. Upon receiving the message, DHCP server will process and allocate the client an IP address. The broadcasting process is where hacker exploits to build a fake DHCP server, provided Gatpaz has been successfully installed on any client of the network. Besides allocating IP address to the client, the fake DHCP Server changes the client’s DNS Server into hacker’s one. The hacker then gets the total control of users’ accessing websites.

To completely solve such phenomenon that viruses destroy businesses’ networks, Bkav recommends that a comprehensive enterprise antivirus solution be employed.

Analyst: Ngo Anh Huy – Bkav R&D

After the blog entry of spam emails impersonating FBI to distribute W32.FakeFBIVariantovLT.Trojan, we have discovered a new fraud software distribution stratagem which uses spam email faking New York State Police. The email, sent from email address at domain name nyc.gov, informs of receiver’s over-speeding at 7:25 am July 5. Following is the request that the receiver prints out the enclosed ticket and sends it to the court in case he wants to plead.

The receiver may even not have been in New York at the mentioned time. He still opens the attachment file due to his desire to plead or just for his curiosity. When being extracted, this file appears with the icon of a PDF file. This is actually a trojan. Once run, this trojan will connect to different addresses and download many other malwares, which lowers the security level of the system.
One of the downloaded malwares is detected as W32.FakeHddRepair.Trojan by Bkav.
Like FakeFBIVariantovLT.Trojan, FakeHddRepair.Trojan constantly displays notifications of hard drive errors:

The fake HDD Repair program interface appears, scans and points out hard drive errors. Accordingly, users need to activate the software to fix these errors.

This fraud scenario is quite familiar: warning users of unreal serious errors in system, offering program interface to fix those errors, of course users have to pay for the license of the software. Once there are important data on their computers, many people will accept to pay an amount to “recover” those data. However, for the most effectiveness and comprehensiveness, users are recommended to use licensed antivirus software with regular virus definition updates.

Nguyen Hung Phu

Malware researcher

Recently our HoneyPot has collected a virus sample which sends challenging message to any antivirus software.

“[Sab0tagE] : The Next Level
Your computer has been SABOTAGEd.
Where is your AntiVirus when you need one?
You talk of times of peace for all,
And then prepare for war.
Remember! Even you win the rat race, you are still a rat!
Silver FoX – Lampung Underground”

Once the system is infected with this kind of virus (it is detected as W32. DownloadWinsLnr.Trojan by Bkav), Windows directory will be locked. Users cannot access this folder any more, and even antivirus software cannot detect the hidden virus if set in User mode.

Actually, the technique which DownloadWinsLnr uses is quite simple. It only needs to set permisison on Windows directory, denying all accesses to this directory, which allows the virus to perform all the above actions.

However, the virus creator, while giving such challenging messages, cannot anticipate that Kernel mode is not controlled  by permission setting. And most of  high-profile antivirus softwares have a module working at Kernel level. Thus, once virus signature is regconized, antivirus software will easily remove it from the system, but windows directory still can not be normally  accsessed. If you encounter this situation, you can use this tool to bring your system back to normal operation.

Download fix tool

CanhDK

Malware Researcher

Have you ever accessed faceboook.com? At a glance, you may mistake this domain for the most popular social networking site, Facebook.com. However, with a closer look, you will definitely see the difference: “book” has been replaced by “boook”. This fake domain has been employed by hackers to fool users. Since there is a huge number of Facebook users, the probability of mis-typing is quite big.
Upon mis-typing and accessing the fake domain “faceboook.com”, users will be redirected to another website with Facebook-styled interface.

Figure 1: The browser redirects users to another website upon their mis-access to faceboook.com

Based on users’ IP, hackers are able to identify which countries they are in and will redirect users to a website with corresponding language. This shows bad guys’ effort to develop a phishing network in many nations in the world.
Bad guys have created a quite attractive scenario: you have been selected to take part in a celebration and have chance to get one in three gifts, namely an iPhone 4, a Macbook Air or an iPad.

Figure 2: The browser redirects users to another site upon their mis-access to gmial.com

However, to get this gift, you have to answer some questions and send a message to a switchboard provided by hacker, which of course is not free. As a result, you will lose an amount in your phone account.

Figure 3: Guidance to send message

As far as I see, hackers have registered a lot of domains faking popular websites to serve this campaign such as:

If you happen to know any more fake domains like these, report to us.
Due to the campaign’s large scale, there is a quite large number of people mis-typing domain name and redirected to the phishing site.

Figure 4: A week after domain registration, traffic rank of phishing site reached an alarming figure (source: Alexa.com)

To avoid falling victim to bad guys’ traps, users are recommended to verify the domain they type, if the content displayed is different from the one they still visit.

Bkis

Recently, lots of Facebook users have been deluded into clicking on “Activate Dislike Button”.
Taking advantage of users’ desire for Facebook’s Dislike button, several spam messages about the activation of the Dislike button have appeared to take control of users’ Facebook accounts for spreading spam messages.

Spam message about “Activate Dislike Button”

If users click on “Activate Dislike Button”, their browsers will be redirected to http://lnktrn.ch/dislike, a fake Facebook’s page where users are requested to copy a code before executing it on their browsers to enable the “Dislike” button.

Immitating Facebook’s instruction

The code is in fact an encrypted Javascript one. Upon analysis, we found out that the code is tasked with sending spam messages to friends on the victim’s Facebook accounts. The messages say: “Facebook just <keyword>  dislike button! Click <onword>  ‘Activate Dislike Button’ below to enable it on your <apterm> !”. There, <keyword> is arbitrarily selected among the following: “added the”, “launched”, “released the”; <onword> may be either “on” or “On”; while <apterm> is a random word from “profile” and “account”.

The code to spread spam

Once the code is activated, the users’ Facebook accounts will be used to propagate similar spam messages.

Massive spam messages are sent from the victims’ accounts

Then users will be required to verify their accounts, another fake request, to enable the Dislike button.

Request to verify fake account

Once “Continue” button is clicked, users’ browsers will be redirected to http://lnktrn.ch/dislike/dislikebutton.php, a page that looks like an account verification page of Facebook. After analyzing the page, we saw that it executes a flash code. However, due to certain errors, the flash could not display its content. The flash may serve as a notice to trick users into entering their username and password to log into their Facebook accounts.

The content of http://lnktrn.ch/dislike/dislikebutton.php

Up till now, there haven’t been any signs that malware is spread through these spam messages. However, technically, this can totally be done with the use of the above mentioned Javascript code. Our HoneyPot system still keeps watching this fraud case.
To ensure the security of your account, you are advised to be cautious with similar messages, and only expect new function notices from Facebook’s official website.

Tran Minh Quang

Malware Researcher