Intuit and BBB Under Targeted Attacks - Phishing (Malware)

About BBS and Intuit: Better Business Bureau is an ethical marketplace where buyers and sellers can trust each other, as defined here . Intuit provides a powerful software as a service platform.

ALERT: Be careful in clicking links.

BBB and Intuit are under targeted attacks. Other organization that is under targeted attacks. Phishing emails pointing to malicious domain serving obfuscated iframes are being thrown in the wild at a rapid pace. The emails look very legitimate but a single click can cause a serious damage. Since these are big organizations, we feel that risk is much higher. That's why the alert is here.


Malicious - Phishing Email Targeting - BBB



Malicious - Phishing Email Targeting - INTUIT


The gift that malicious domain send us is presented below(truncated version)



The deobfucation details of this script will be posted soon. We are analyzing other facets of this targeted attack.

Cloud Infections on Fire - Amazon's WS

It has been seen recently that Amazon's Web Service (AWS) has become the playground for attackers to host malware. Some incidents have been reported early. However, cloud services are providing a good storage as well as remote access property for serving malware through cloud. Attackers are always impressive in circumventing the normal operations of any cloud services in order to distribute malware effectively. We came across another incident in which malware is hosted at AWS server.

We started exploring the malware driven directory. The direct access to the directory was not allowed and we received following error.



This shows that the directory is in forbidden state which resulted in the HTTP error as presented above. We required to have direct link to the malicious executable. On analyzing further and gathering information, the Amazon cloud was hosting malware as shown below



After successful downloading, we analyzed that executable was packed with UPX packer with 33.6% compression. On unpacking, the code seemed to unroll a bit and presented us with some complex and lengthy code file. The executable file was actually a package file written in Borland. Its main functionality was to download another set of malicious files from different Amazon AWS directory. The complete set of files were downloaded into "c:\winsys" directory. We extracted another set of files as presented below


This shows that the package acts as a dropper. We take a look at one of the executable named as "BROWN.exe" which was packed with UPX again. So we unpacked it again to understand the crux.


The executable was written in "Visual Basic". So, we ran a check using anti virus and without a doubt it was a malware as shown below


So we are not digging deeper. If you require samples, please drop us a line.

VB - Dissecting NGR bot Framework

Last month, we released our paper on NGR bot.

Abstract: "The latest variants of IRC-based botnets, such as the NGR botnet, are designed to steal sensitive information by exploiting browser processes and acting as backdoors. Aditya Sood and colleagues discuss the framework of the NGR bot version 1.1.0.0, which is growing in prominence in the malware world."

Its here: http://www.virusbtn.com/virusbulletin/archive/2012/01/vb201201-NGR-botnet

Enjoy!

Commercial Crime International - Social Networks Article

Commercial Cyber Crime - Social Networks Malware

View more documents from Aditya K Sood

"The advent of social networks has turned the online world into a virtual society. And whilst social networks serve as seamless communication channels, they are also an ideal launch pad for malware infections. There has been a tremendous increase in the dissemination of malware infections through social networks."

Checkout article in Commercial Crime International - ISSN 1012-2710

Virus Bulletin - Formgrabbing on Fire

Botnets such as Zeus, SpyEye and others use the effective technique of form grabbing to steal sensitive information from victims’ machines. We are presenting the complete details of form-grabbing technique.

http://www.virusbtn.com/virusbulletin/archive/2011/11/vb201111-form-grabbing

BlackHole BEP + HP Scanner Infections

We have recently encountered a heavy set of email traffic spreading HP scanning email with non legitimate links. No doubt, this campaign is a traffic infection process by sending plethora of emails around the internet. It is not a big deal of getting email addresses nowadays. It is just a walk-around in the park for the phishers or attackers. This HP scanning email looks like as presented below

The only part that interests in giving a brief shot at this malware campaign is the usage of Java Exploits through BlackHole BEP.
The user is forced or tricked to visit a domain with URL hxxp://finance-motor.info/main.php which is further redirected to malicious domain hxxp://ahredret.ru/main.php. Now the URL, which is from russian domain with following information
domain: AHREDRET.RU
nserver: dns1.naunet.ru.
nserver: dns2.naunet.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
e-mail: mxx3@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2011.10.06
paid-till: 2012.10.06
source: TCI

Last updated on 2011.10.17 20:35:46 MSK/MSD

The above presented information shows that this domain is activated and is recently accessed. The active time stamp shows that this is an active infection process. Without a doubt, the domain has port 80 and port 22 opened. The port 80 serves the BlackHole BEP and port 22 is for administration as shown below

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 bb:d1:ae:ea:db:46:97:2a:09:ca:38:cc:50:47:9c:24 (DSA)

|_1024 39:1d:f5:8c:fa:ad:9c:02:a0:bf:db:9d:2a:24:73:bb (RSA)
80/tcp open http nginx


So, the next step is to try with wepawet but as expected the server did not respond well to the tool as presented below


The automated HTTP request/response and detection module did not work appropriately. At last, its all about manual analysis by setting an appropriate sandbox environment. We preferred to have a generic settings that provide malware an opportunity to expand and gives us the information that is required. So on performing manual testing carefully, we were served with exploit prototype as follows


The field.jar contains the following set of Java files



We have already performed analysis on this kind of exploit which is used effectively by the BlackHole (Java is what I like the most for spreading infections).

Fetch the code - http://www.secniche.org/sample_exploits/hp_scan_exploit.rar

Enjoy !

Virus Bulletin 2011 Conference - Death by Bundled Exploits

We have presented about our research at Virus Bulletin conference 2011.

Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exploits

View more presentations from Aditya K Sood

Threatpost coverage : http://threatpost.com/en_us/blogs/researcher-malware-increasingly-interdependent-stifles-security-wares-100711

Enjoy!

OWASP AppSec USA 2011 - Dismantling Web Malware

OWASP AppSec USA 2011 - Hunting Web Malware

View more presentations from Aditya K Sood

Virus Bulletin - Browser Malware Taxonomy

Browser Malware Taxonomy

View more documents from Aditya K Sood

Journal : http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy

We will be releasing more papers from Virus Bulletin, once we complete the three month time period from the date of publication. Its all about serving the contract.

BruCon 2011 - Botnets and Browsers

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

View more presentations from Aditya K Sood