MSRT May 2010: On the Offensive Against the Odious Oficla

The family added to this month's MSRT release is Win32/Oficla, which is a downloader that is able to receive download 'tasks' from a control server. In the wild, variants of Win32/Oficla have been observed to download variants from families such as Win32/Cutwail, Win32/Zbot, Win32/Alureon, Win32/FakeScanti and Win32/FakeRean.
The Win32/Oficla package, which includes the software infrastructure to manage and control the Oficla drones, is sold online. The controller is able to inspect various statistics from a given set of drones via a browser-based interface. The interface also has the ability to initiate and maintain different download tasks that Win32/Oficla will be directed to perform.
The author(s) of Win32/Oficla appear to have initiated advertising their 'wares' online in April 2009. The asking price at that point in time was between $450-$700 USD, depending on the version.
Win32/Oficla is often delivered as a file attachment within an e-mail message of spam campaigns. Many of the e-mail lures employed are those with parcel delivery (for example, UPS, DHL, etc.) themes. These are the very same lures observed as part of Win32/Bredolab campaigns, which may explain some confusion between these two malware families.
Here are a couple of different emails from the last week:
iTunes lure:
Subject: Thank you for buying iTunes Gift Certificate!
You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment  below.
Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video  right away.
iTunes Store.
Contract lure:
Subject: Open an account
Dear Customers,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
Stay safe out there!
- Scott Molenkamp
Comments (0)

Skip to main content