.PIF files are like those organs we are said to have for some reason that are not necessary in these modern times. If you still remember the pain of migrating from DOS 5.0 to Windows 3.0, you will remember that we had .PIF files because DOS binaries did not have all the niceties of Windows programs, such as embedded icons and a place to store the default start-up path. Back when Ugg the Caveman was discovering fire and Bill Gates was leading a development team, you could make your DOS Executables APPEAR to be Windows files by sticking a .PIF file of the same name in the same directory. Windows knew that it should associate the .PIF file with the .EXE or .COM file of the same name, and suddenly we had icons! Of course the malware authors have done some sneaky things with this in the past. When Sality was a young pup, browsing a directory that contained the ".pif" format of Sality was enough to get Windows to execute the malware -- because "Active Desktop" knew that if it saw a .PIF file, it should load it so it would know what graphical icon to associate with which programs in the directory listing. Unfortunately, that was all Sality needed to launch itself! So many people were victimized thinking that the AUTORUN=OFF on their thumb drive had failed without realizing it was just what .PIF files did back then.
So, this morning in the Malcovery Spam Data Mine we saw 1,440 copies of a spam message claiming to be from "orange.pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names based on the SCMag / WebSense articles, I was surprised to see that the file was actually TinBa or "Tiny Banker"!
Late last week I was one of the many folks trying to get a friend to get me a copy of the Tinba source code that had been leaked, as Peter Kruse over at CSIS told us on July 10, 2014 (See Tinba/Hunterz source code published. Peter shared a talk The Hunterz Inside Tinba at the recent Cyber Threat Summit, and, with Trend Micro's Robert McArdle and Feike Hacquebord, released a paper called "W32.Tinba, The Turkish Incident" (a 24-page PDF that gives great insights into the malware family).
Tinba: The Polish IncidentIf the earlier paper was called "The Turkish Incident", perhaps the current version should be called "The Polish Incident". Here is the email that was distributed so prolifically this morning:
Jeżeli Twój telefon nie obsługuje wiadomości multimedialnych, możesz je wysyłać i odbierać korzystając ze Skrzynki MMS lub Albumu MMS. Wystarczy, że zalogujesz się na www.orange.pl. O każdym otrzymanym na skrzynkę MMS-ie powiadomimy Cię E-mail.
Jeśli odbiorca wiadomości nie ma telefonu z obsługą MMS będzie mógł ją odebrać logując się w portalu www.orange.pl, a następnie wybierając Multi Box i zakładkę MMS. Wiadomości multimedialne możesz też wysyłać na dowolny adres e-mail.
In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:
If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www.orange.pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www.orange.pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53) detection rate.
The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange.com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal. But the email body was much simpler. The message, still in Polish, was:
Przesyłamy fakturę Telekomunikacji Polskiej w wersji elektronicznej za czerwiec 2014.
We send an invoice Polish Telecom in the electronic version for June 2014.
But of course it was more malware, disquised as an invoice but actually a .pif file.
The current detection at VirusTotal for that campaign is 33 of 53 detections.
Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message.