Tuesday, August 28, 2012

Intuit Phishing Campaign - Mighty BlackHole in Action

Intuit phishing campaign has been started today. The structure and concept of the attack is the same as discussed earlier. Let's dissect the details of this campaign. The email comes to your inbox in the format as presented below:

The accompanied link is : hxxp://numerodedicato.altervista.org/blog/wp-content/uploads/fgallery/updint.html. On visiting the link, the user finds a webpage with a following layout:

The message looks interesting. The webpage is executing another JavaScript to load content from another third-party domain. The details of this deobfuscated script are present here: http://pastebin.com/MVCH8M3N

The obfuscation provided us with an iframe that is downloading content from the following URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5

The obfuscated plugin script is herehttp://pastebin.com/biZnVwMD
The deobfuscated plugin script is here :  http://pastebin.com/hsKKn6EP

Many of the AV engines shows this website as benign. But, this domain hosting a BH exploit Pack. Let's see further:

On deobfuscation we get an applet code as follows:

Something seems suspicious, with Pre.jar file here. Further, the request to this link : hxxp://roadmateremove.org/data/hhcp.php?c=8896e loads the iframe for the plugin detection code. On successful verification and fingerprinting the Pre.jar file is served on the vulnerable systems. A quick check on virus-total only provides a reference to Blackhole exploit.

Check: https://www.virustotal.com/file/65ac3d0ef75cad088c80bcb238fe6206c42866a8e73676f5b5dd6b235871f874/analysis/1346173365/

Definitely a Java exploit in action.

This analysis is based on a specific link accompanied with this sample. The embedded links might change with other phishing emails.

Be Secure.

Tuesday, August 7, 2012

LinkedIn Invitation Phishing - BlackHole in Action (2)

Last time we discussed about the LinkedIn phishing attack, here - http://secniche.blogspot.com/2012/06/linkedin-phishing-attack-exploit.html. Within last 2-3 days, there has been significant increase in LinkedIn invitation emails which are malicious in nature. The attackers are exploiting the brand names as discussed earlier in our post on At&T Phishing attack here: http://secniche.blogspot.com/2012/08/at-phishing-attack-blackhole-back-in.html.

The Linkedin phishing attack is again based on the same pattern and some of the details are discussed in this post. The phishing email layout is presented below:

Visiting the link resulted in following message.

The execution process is the same as discussed earlier in the phishing attacks. The deobfuscated script is shown below:

The HTML content of the phishing email is here: http://pastebin.com/tbyxaEXs.

The complete script is here: http://pastebin.com/kvnvMrma

The script patterns are the same except the the URL of the malicious domain varies. Just be proactive and be paranoid in interacting with these types of emails.

Monday, August 6, 2012

AT&T Phishing Attack - BlackHole Back in Action

Attackers are using legitimate organizations' brand names to distribute phishing emails to a large sections of users. This time AT&T brand name is used to deliver phishing emails. We  have been receiving these emails continuously. These first attempt made by the phisher was failed because the injected links were not embedded in a right manner which results in useless phishing attempt. The very next day, we received the similar email but this time phishers were right at the target. The second time email contained malicious links. Let's have a look at the phishing email message:


On surfing the embedded links, the browsers was forced to visit the malicious domain as presented below:

This page contains obfuscated malicious iframe that renders dynamically to load a plugin detection script from third-party domain that fingerprinted the users' environment and served the required exploit. Blackhole BEP exploit has been used to distribute exploits against vulnerable browsers and plugins. The iframe loads the webpage which contains plugin detection script. The page shows a redirection message as follows:

The HTML content of the phishing email is pasted here - http://pastebin.com/epGAx7fr

The malicious script (deobfuscated) can be found here : http://pastebin.com/Ne4j5zmd

This link - hxxp://voicecontroldevotes.info/main.php?page=6df8994172330e77 loads the plugin fingerprinting script and connects back with BlackHole BEP.

This host (IP) has been used to register different domain names that have been used for spreading malware using BlackHole. Query here - http://www.malwaredomainlist.com/mdl.php?search=

These emails are delivered as legitimate and spam detection engine fails to provide any protection. Try not to fall prey to these phishing attempts.

Virus Bulletin - ICE IX Bot Paper

 This month, we have published a paper on ICE 1X analysis in virus bulletin magazine.

Abstract: The ICE IX bot is considered to be a descendent of the
Zeus botnet because it uses some of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third generation botnet. While it has been used for a variety of purposes, a major threat of ICE IX comes from its manipulation of banking operations on infected machines. As with any bot, infection results in establishing a master-slave relationship between the
botmaster and the compromised machine"

Subscribe the magazine : http://www.virusbtn.com/virusbulletin/archive/2012/08/vb201208-ICE-bot

The paper will be released on the website after the contractual obligations are over.


Thursday, August 2, 2012

Digital Forensics Magazine - Dismantling SMS based Two-factor Authentication - Malware

We have recently published details of SMS based Two-factor authentication attack used by the Third Generation Botnets (TGBs) in which both system and mobile platforms are exploited. If you remember, Spitmo, Zitmo and other variants are used to accomplish this kind of attack.

Outline: "Malware is impacting the security and integrity of the World Wide Web especially for banks and financial institutions. This article looks at a new exploitation technique used by malware to circumvent two-factor authentication."

About DF: "Digital Forensics Magazine is a quarterly features and news magazine from the world of computer and cyber crime and digital forensics."

Right now, magazine is available for subscribers only,but you can also read it online by creating an account.

Enjoy !