by Dave Michmerhuizen & Luis Chapetti – Security Researchers
Most computer users have a haunting fear that somehow malware will find a way to sneak onto their PCs when they are not looking. The truth is that while this does sometimes happen, the most common types of malware rely on trickery to invade and infect your computer.
An excellent example of this fell into our spam traps recently, a spam that pretended to be from Facebook (an easy thing to fake, actually) hiding its payload behind an official looking graphic from Microsoft.
In this case the image is an HTML link supposedly offering up Microsoft Silverlight. If you take your time and examine the destination of that link you'll see that the real payload is a .PIF file from an IP address in Malaysia. PIF files are Windows executable files, and in this case the executable that is actually sent is Trojan.Win32.Jorik. It can't sneak onto your computer and install itself though; it needs your help to do that.
Clicking on the Silverlight graphic does warn you that you're about to run a program. This is why the Microsoft graphic is a clever addition to the ruse – you think you should be running a Microsoft program, and it's doing exactly what you expect.
The problem, of course, comes once you've pressed ‘Run' and find out there is no Facebook or Silverlight, there is only malware. Trojan.Win32.Jorik is actually a keylogger. It begins monitoring your Web browsing, writing every keystroke and Web page title into a disk file.
The keylogger can capture almost anything you do on the Web. This is of particular concern when visiting secure sites whose credentials you definitely want kept private as demonstrated.
We entered FakeUsername and FakePassword on all three sites. The results were easily found in the disk file that the keylogger maintains.
Ultimately this disk file is sent back to a command and control server, hidden by no-ip.com and most likely also in Malaysia.
The bottom line, as we always say at Barracuda Labs, is to maintain a healthy skepticism about anything that appears in email. The easiest way into your computer is to persuade you to push that ‘run' button. Spammers and malware distributors are constantly looking for ways to convince you to do just that. Be vigilant, don't be a victim.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.