By Dave Michmerhuizen, Security Researcher
Two months ago the a Trojan called Here-you-have had it's fifteen minutes of fame, infesting mail servers around the world and clogging the networks of more than a few large institutions.
One key feature that allowed this trojan to replicate was a deception that, while not exactly new, fooled a large number of people. The file carrying the trojan had the extension of .SCR, which Windows uses for screensavers. A Windows screensaver is just another type of program, but many users are unaware of this and clicked on run – and spread the Trojan.
Since the Here-you-have outbreak, Barracuda Labs has seen a very significant increase in the number of attacks that attempt to deliver malware by disguising the payload in the very same way. According to Barracuda Networks Security Researcher Luis Chapetti, at one point in early November over 50% of all emails containing HTML-style links seen by our honeypots were attempting to deliver malware with a .SCR extension. The examples seen are silent, but deadly, as we show below.
A typical attack starts with a convincing tax form spam targeting financial professionals
A close reading shows not only the aforementioned .SCR extension but a tell-tale misspelling and a suspicious domain as well. Still, it's not always easy to stop and do a close reading. Instead, a harried office worker might just click the link to see what the tax forms in this .PDF are all about. Doing so does give you a warning dialog
But of course if you're in a hurry you might just see the letters “PDF” and click on Run anyway. What happens if you do?
At least nothing you can see. You could click that link multiple times and see nothing at all, eventually assuming something was wrong somewhere and just giving up and moving on. What really does happen though is that a file is downloaded and added to Internet Explorer
The file is downloaded with the .SWF extension, making it appear to be an Adobe Flash file. This is done to evade firewall rules that might prevent the downloading of a .DLL, which is what the file actually is.
The .DLL file is a BHO – a Browser Helper Object, a piece of software designed to extend and enhance Internet Explorer. Add-on toolbars and Adobe's PDF reader are examples of legitimate BHOs. The file downloaded by clicking on the spammed link is an example of a malicious BHO.
Browser Helper Objects have access to everything that the browser does, including web page traffic before encryption is applied. Therefore, what the malicious AcroIEHelper2.dll does chillingly well is to steal any username and password pair that you enter into your browser, even if the site is HTTPS enabled. We tested this with Chase Bank's secure online banking logon page
Note that we are viewing the actual Chase logon page, not a phishing site hosted somewhere else. We entered dummy credentials – BarracudaTest and TestPassword – pressed “Log on” and watched the network traffic behind the scenes
The username and password we had entered were winging their way to servers that have nothing to do with Chase Bank. They can plainly be seen in this reconstruction of the traffic.
We tested a number of websites tested such as WellsFargo, NetFlix and Google's service login page. In every case the supplied credentials were sent to the malware drop points. The goal here is to steal online banking credentials and then drain the associated accounts, particularly small business accounts which do not have the same protection as consumer accounts.
it's worth noting that the BHO would not install if the Vista or Windows 7 user account has User Access Controls enabled, or if the XP user account is a limited account. Limited accounts and UAC may seem inconvenient but they exist to keep things like this from happening.
The bottom line message is clear – don't click on links you don't recognize, and learn the lesson that here-you-have has been teaching the malware you are exposed to – .SCR files are not something you want to open or run.
Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.