Bizarre Clipboard attack linking to “greyware” sites

There seems to be a interesting little wrinkle in the malware saga. A new malware has been detected which is overwriting the clipboard with a link to some bogus malware removal tool. It is not clear exactly how it is doing this but we can gather some information from the reports.

It overwrites the clipboard – there are not that many ways of doing that so a breakpoint on SetClipboardData would probably tell a lot about what is doing it. It seems to do it on a timer so looking at who was setting up timers would also be of use – and the WM_TIMER messages would tell you at least one of its windows.

It appears to be memory resident. Initial reports from victims say that restarting the machine stops the clipboard overwrite. This isn’t something so commonly seen these days but a lot of anti-virus products focus on checking file reads and writes and this may be an attempt to avoid detection.

There has been a lot of speculation that this is linked to the odd news SPAM that has been doing the rounds. Here is a sample:


“From: Top News Agency
Sent: Monday, August 18, 2008 9:47 PM
To:
Subject: Weekly top news


Richardson: I was a little 'uneasy' about a Clinton roll call

New Mexico Gov. Bill Richardson said he's now comfortable with Sen. Hillary Clinton placing her name in nomination at the Democratic convention, but he admitted he was uneasy about the move at first


Read All (43) breaking news [link omitted]
AND 24 shocking videos [link omitted]”

The links were to a firm of lawyers and the site had probably been hacked. It was a Linux machine running Apache.

The link that appears on the clipboard is for pretty standard bogus anti-malware product of the type that seems so common these days.

If anyone finds a machine which has the odd overwritten clipboard behaviour, a dump of kernel memory would be very revealing. I would like to look at that.

Until next time, signing off

Mark Long, Digital Looking Glass